Agent Foskett Academy β’ Learn KQL β’ Microsoft Defender XDR
Agent Foskett Academy
KQL is not just query syntax.
It is how investigators ask questions of telemetry.
Inside Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Exchange Online, the logs are constantly telling a story. The challenge is learning how to read that story, narrow the noise and follow the evidence.
Agent Foskett Academy was built to help analysts, engineers, students and defenders learn practical KQL through real-world investigations, Microsoft security telemetry and genuine threat hunting workflows.
This is not about memorising commands. It is about learning how to think like an investigator.
KQL AcademyMaster Microsoft Kusto Query Language through practical investigations
Sentinel AcademyBuild SIEM, SOAR and SOC skills with Microsoft Sentinel
Microsoft SecurityDefender XDR, Entra ID, Exchange Online and Azure security
Real InvestigationsEvery lesson is based on practical incident response and threat hunting
Learn how to investigate Microsoft security telemetry using practical KQL examples, Defender XDR hunting, Sentinel investigations and real-world attack scenarios.
Learn practical KQL
Understand Microsoft telemetry
Think like a threat hunter
π§ KQL is how investigators ask questions of data. Agent Foskett Academy focuses on practical investigations, Defender XDR hunting, Sentinel SOC workflows and learning how to follow the evidence inside Microsoft telemetry.
The original KQL learning path remains below with all existing lesson tiles and URLs preserved. The new Academy structure is now underway, with Microsoft Sentinel live and dedicated future sections for Entra, Defender and Security Copilot.
Existing Academy lesson URLs have not been moved. The new folders provide a cleaner structure for future academies while preserving the current KQL lesson catalogue and its search visibility.
Agent Foskett Academy is a practical Microsoft security learning path for people who want to understand KQL, Defender XDR telemetry and real-world threat hunting. The aim is simple: help defenders move from staring at logs to asking better investigation questions.
Built for real investigationsThe lessons connect KQL syntax to real security questions across email, identity, endpoint and cloud telemetry.
Beginner friendlyStart with the basics: tables, filters, timestamps, columns and reading your first KQL query without getting overwhelmed.
Investigator mindsetThe goal is not only to learn commands. The goal is to understand what the data is trying to tell you.
π
Browse the Academy by learning path
The Academy now contains over 130 lessons, so the learning path has been organised into clear modules. You can still search every lesson, but these pathways make it easier to start with the basics, focus on a specific investigation area, jump into Hunting Playbooks or follow complete Incident Response Workflows.
The lesson numbers have been kept exactly as they are. The Academy is now easier to navigate, but existing URLs, sitemap entries and internal links can continue to work without renumbering the course. New lessons now slot into the correct learning path rather than simply extending a long chronological list.
π Academy lessons by learning path
Follow the lessons from start to finish, or jump into the learning path that matches the investigation skill you want to build next.
Learning Path 1 β FoundationsKQL basics, Microsoft security tables, filtering, useful columns, sorting, summarising, time patterns, distinct values, top results and combining operators.
Lesson 1 β What is KQL?
Learn what Kusto Query Language is, where it is used inside Microsoft security platforms and why it matters for investigations.
Lesson 2 β Your First KQL Query
Learn how to run your first KQL query, filter telemetry by time and start exploring Microsoft Defender XDR telemetry.
Lesson 4 β Filtering KQL Results
Learn how to use where, contains, has, == and time filters to reduce noise and focus on suspicious activity inside Microsoft Defender XDR and Sentinel.
Lesson 5 β Choosing Useful Columns
Learn how to use project to remove clutter, focus on important evidence and display only the fields that matter during Microsoft security investigations.
Lesson 8 β Finding Time Patterns with bin()
Learn how to use bin() in KQL to group Microsoft Defender XDR and Sentinel telemetry into time ranges, helping defenders identify spikes, bursts and suspicious activity patterns.
Lesson 9 β Finding Unique Values with distinct
Learn how to use distinct in KQL to identify unique users, IP addresses, domains, devices and suspicious values hidden inside Microsoft Defender XDR and Sentinel telemetry.
Lesson 10 β Using top to Find High-Volume Activity
Learn how to use top in KQL to quickly identify the most active users, devices, IP addresses, senders and suspicious activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 14 β Connecting Tables with join
Learn how defenders use join to connect users, devices, sign-ins, email events, URL clicks and endpoint activity across multiple Microsoft security tables.
Lesson 18 β Using in to Search Multiple Indicators
Learn how defenders use the in operator to search for multiple users, IP addresses, devices, domains and other indicators across Microsoft Defender XDR and Sentinel telemetry.
Lesson 21 β Using startswith and endswith
Learn how defenders use startswith and endswith to identify suspicious filenames, domains, email addresses, URLs and command-line activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 22 β Using matches regex for Pattern Matching
Learn how defenders use matches regex to identify suspicious naming conventions, command-line patterns, file paths, domains, URLs and attacker techniques across Microsoft Defender XDR and Sentinel telemetry.
Lesson 23 β Using extract for Flexible Pattern Matching
Learn how defenders use flexible pattern matching to extract usernames, domains, URLs, command-line arguments and structured evidence from Microsoft Defender XDR and Sentinel telemetry.
Lesson 26 β Extracting Evidence with extract()
Learn how defenders use extract() with regular expressions to pull IP addresses, domains, ticket numbers, identifiers and hidden indicators from Microsoft Defender XDR and Sentinel telemetry.
Lesson 28 β Creating New Evidence Fields with extend
Learn how defenders use extend to create calculated fields, enrich evidence, normalise values and build more powerful Microsoft Defender XDR and Sentinel investigations.
Lesson 29 β Classifying Evidence with case()
Learn how defenders use case() to classify events, label suspicious activity, score evidence and make Microsoft Defender XDR and Sentinel investigation results easier to understand.
Lesson 30 β Adding Conditional Logic with iff()
Learn how defenders use iff() to create simple true-or-false investigation labels, flag suspicious activity and make Microsoft Defender XDR and Sentinel results easier to triage.
Lesson 31 β Converting Values with tostring()
Learn how defenders use tostring() to convert dynamic values, normalise investigation fields and avoid datatype issues across Microsoft Defender XDR and Sentinel telemetry.
Lesson 39 β Investigating AlertInfo in Microsoft Defender XDR
Learn how defenders use AlertInfo to investigate Microsoft Defender XDR alerts, review alert metadata, severity, categories, detection sources and prioritise suspicious activity for deeper investigation.
Lesson 41 β Investigating DeviceInfo in Microsoft Defender XDR
Learn how defenders use DeviceInfo to understand device inventory, operating systems, exposure context, logged-on users and endpoint details before pivoting into process, file, registry and network evidence.
Lesson 42 β Investigating DeviceEvents in Microsoft Defender XDR
Learn how defenders use DeviceEvents to investigate additional endpoint activity, security controls, device actions and supporting events that do not always appear in process, file, registry or network tables.
Lesson 50 β The Timeline Told The Story
Learn how defenders combine email, URL, identity, cloud, alert and incident telemetry to reconstruct a complete Microsoft Defender XDR investigation from initial access through to attacker activity.
Lesson 55 β Investigating DeliveryAction in Microsoft Defender XDR
Learn how defenders use DeliveryAction to understand what Microsoft 365 actually did with an email, including delivered, blocked, quarantined, redirected and other mail flow actions during Microsoft Defender XDR investigations.
Lesson 56 β Investigating ThreatTypes in Microsoft Defender XDR
Learn how defenders use ThreatTypes to understand whether Microsoft classified messages as phishing, malware, spam, spoofing, bulk mail or other email threats during Microsoft Defender XDR investigations.
Lesson 57 β Investigating DetectionMethods in Microsoft Defender XDR
Learn how defenders use DetectionMethods to understand how Microsoft identified, analysed and classified email threats, helping explain why messages were flagged as phishing, malware, spoofing, spam or other suspicious activity during Microsoft Defender XDR investigations.
Lesson 58 β Investigating EmailDirection in Microsoft Defender XDR
Learn how defenders use EmailDirection to determine whether messages were inbound, outbound or internal, helping investigators understand attack paths, user activity, mail flow behaviour and potential security incidents during Microsoft Defender XDR investigations.
Lesson 59 β Investigating OrgLevelAction in Microsoft Defender XDR
Learn how defenders use OrgLevelAction to understand what action Microsoft 365 organisational policies applied to suspicious email messages, helping explain whether messages were delivered, blocked, quarantined, redirected or otherwise handled during Microsoft Defender XDR investigations.
Lesson 60 β Investigating AuthenticationDetails in Microsoft Defender XDR
Learn how defenders use AuthenticationDetails to investigate SPF, DKIM, DMARC and composite authentication results, helping determine whether email messages were genuinely sent from trusted domains or potentially involved spoofing, impersonation or phishing activity during Microsoft Defender XDR investigations.
Lesson 61 β Investigating SenderIPv4 in Microsoft Defender XDR
Learn how defenders use SenderIPv4 to identify the originating IP address behind email messages, helping investigate phishing campaigns, spoofing attempts, suspicious infrastructure, sender reputation and malicious email activity during Microsoft Defender XDR investigations.
Lesson 62 β Investigating SenderIPv6 in Microsoft Defender XDR
Learn how defenders use SenderIPv6 to identify the originating IPv6 infrastructure behind email messages, helping investigate phishing campaigns, spoofing attempts, sender reputation, suspicious mail servers and malicious email activity during Microsoft Defender XDR investigations.
Lesson 63 β Investigating SenderMailFromAddress in Microsoft Defender XDR
Learn how defenders use SenderMailFromAddress to investigate the actual SMTP sender behind email messages, helping identify spoofing attempts, phishing attacks, mail flow anomalies and authentication issues during Microsoft Defender XDR investigations.
Lesson 64 β Investigating SenderMailFromDomain in Microsoft Defender XDR
Learn how defenders use SenderMailFromDomain to investigate the SMTP domain used during email delivery, helping identify spoofing attempts, SPF alignment issues, phishing campaigns, domain impersonation and email authentication anomalies during Microsoft Defender XDR investigations.
Lesson 65 β Investigating BulkComplaintLevel (BCL) in Microsoft Defender XDR
Learn how defenders use BulkComplaintLevel (BCL) to understand how Microsoft classifies newsletters, marketing campaigns and bulk email, helping investigate email reputation, spam filtering decisions, user complaints and message handling during Microsoft Defender XDR investigations.
Lesson 66 β Investigating CompositeAuthentication in Microsoft Defender XDR
Learn how defenders use CompositeAuthentication to understand Microsoft's overall authentication verdict, helping investigate SPF, DKIM, DMARC alignment, spoofing attempts, phishing campaigns and email trust decisions during Microsoft Defender XDR investigations.
Lesson 67 β Investigating RecipientEmailAddress in Microsoft Defender XDR
Learn how defenders use RecipientEmailAddress to identify who received suspicious messages, helping investigate phishing campaign reach, targeted users, email delivery activity and message distribution across Microsoft 365 during Microsoft Defender XDR investigations.
Lesson 68 β Investigating SenderFromDomain in Microsoft Defender XDR
Learn how defenders use SenderFromDomain to investigate the visible sender domain presented to recipients, helping identify domain impersonation, phishing campaigns, trusted-domain abuse and suspicious email activity during Microsoft Defender XDR investigations.
Lesson 69 β Investigating SenderDisplayName in Microsoft Defender XDR
Learn how defenders use SenderDisplayName to investigate display-name impersonation, executive spoofing, business email compromise (BEC), phishing campaigns and deceptive sender identities during Microsoft Defender XDR investigations.
Lesson 70 β Investigating Subject in Microsoft Defender XDR
Learn how defenders use Subject to investigate phishing campaigns, malicious lures, invoice fraud, credential harvesting attempts and campaign clustering by analysing email subjects during Microsoft Defender XDR investigations.
Lesson 71 β Investigating InternetMessageId in Microsoft Defender XDR
Learn how defenders use InternetMessageId to uniquely identify email messages across Microsoft Defender XDR and Exchange Online, helping correlate phishing reports, trace message delivery and connect related security events during Microsoft 365 investigations.
Lesson 72 β Investigating ReportId in Microsoft Defender XDR
Learn how defenders use ReportId to correlate related email events, group investigation evidence and identify activity belonging to the same Microsoft Defender XDR investigation across multiple security tables.
Lesson 74 β Investigating UrlChain in Microsoft Defender XDR
Learn how defenders use UrlChain to trace every redirect from the original clicked link to the final destination, helping uncover phishing infrastructure, malicious redirects and credential harvesting attacks during Microsoft Defender XDR investigations.
Lesson 75 β Investigating IsClickedThrough in Microsoft Defender XDR
Learn how defenders use IsClickedThrough to determine whether users continued beyond Microsoft Defender Safe Links protection, helping investigate successful phishing attempts, risky user behaviour and potential credential compromise during Microsoft Defender XDR investigations.
Lesson 76 β Investigating ActionType in UrlClickEvents
Learn how defenders use ActionType in UrlClickEvents to understand how Microsoft Defender handled URL clicks, helping investigate blocked, allowed and Safe Links-protected user activity during Microsoft Defender XDR investigations.
Lesson 77 β Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR
Learn how defenders correlate EmailEvents and UrlClickEvents using KQL to build complete phishing investigation timelines, identify affected users, determine who clicked malicious links and understand how Microsoft Defender XDR records email delivery and user interaction.
Lesson 78 β Correlating EmailEvents with DeviceProcessEvents in Microsoft Defender XDR
Learn how defenders correlate EmailEvents with DeviceProcessEvents using KQL to determine what executed on a device after a phishing email was delivered or an attachment was opened, helping identify malicious payload execution and endpoint compromise during Microsoft Defender XDR investigations.
Lesson 79 β Correlating EmailEvents with DeviceNetworkEvents in Microsoft Defender XDR
Learn how defenders correlate EmailEvents with DeviceNetworkEvents using KQL to determine whether a phishing email resulted in outbound network activity, helping identify malicious domains, command-and-control communication, payload downloads and endpoint compromise during Microsoft Defender XDR investigations.
Lesson 80 β Building a Complete Phishing Investigation in Microsoft Defender XDR
Learn how defenders combine EmailEvents, UrlClickEvents, DeviceProcessEvents and DeviceNetworkEvents to reconstruct an end-to-end phishing investigation, following an attack from email delivery through user interaction, endpoint execution and outbound network activity in Microsoft Defender XDR.
Lesson 95 β Using arg_max() in KQL
Learn how defenders use arg_max() to return the most recent event in each group, making Microsoft Defender XDR investigations faster, cleaner and easier to interpret.
Lesson 96 β Using make_set() in KQL
Learn how defenders use make_set() to build unique collections of users, devices, IP addresses, domains and other indicators, making Microsoft Defender XDR investigations easier to summarise and analyse.
Lesson 97 β Using mv-expand in KQL
Learn how defenders use mv-expand to split arrays and multi-value fields into individual records, making Microsoft Defender XDR investigations easier to analyse and uncover hidden evidence.
Lesson 98 β Using mv-apply in KQL
Learn how defenders use mv-apply to analyse multi-value fields with greater control, enabling advanced Microsoft Defender XDR threat hunting across arrays, nested objects and complex telemetry.
Lesson 99 β Using Regular Expressions (regex) in KQL
Learn how defenders use regular expressions (regex) in KQL to identify suspicious patterns, extract hidden data and perform advanced Microsoft Defender XDR threat hunting across emails, URLs, command lines and log data.
Lesson 100 β Building Reusable Hunting Queries in KQL
Learn how defenders build reusable KQL hunting queries using let statements, variables, reusable logic and modular techniques to create faster, more consistent Microsoft Defender XDR investigations.
Learning Path 9 β Hunting Playbook SeriesPractical Microsoft Defender XDR hunting playbooks for common attacker behaviours, from impossible travel and credential theft through to OAuth abuse, PowerShell, LOLBins, persistence, risky sign-ins, insider threats and ransomware.
Lesson 101 β Hunting Playbook: Impossible Travel
Learn how defenders hunt for impossible travel by correlating Microsoft Defender XDR and Microsoft Entra ID sign-in telemetry, IP addresses, locations and authentication activity to determine whether suspicious sign-ins represent legitimate travel or compromised credentials.
Lesson 102 β Hunting Playbook: Credential Theft
Learn how defenders hunt for credential theft by analysing suspicious sign-ins, authentication behaviour, token usage, password activity and Microsoft Defender XDR identity telemetry to identify compromised accounts before attackers can move laterally.
Lesson 104 β Hunting Playbook: OAuth Abuse
Learn how defenders hunt for OAuth abuse by investigating suspicious application consent, delegated permissions, token usage, Microsoft Entra ID activity and Microsoft Defender XDR telemetry to detect attackers maintaining persistent access through malicious applications.
Lesson 105 β Hunting Playbook: PowerShell Abuse
Learn how defenders hunt for malicious PowerShell activity by analysing Microsoft Defender XDR process events, command-line arguments, encoded commands and script execution to identify attacker reconnaissance, persistence and post-compromise behaviour.
Lesson 106 β Hunting Playbook: LOLBins
Learn how defenders hunt for Living Off the Land Binaries by analysing Microsoft Defender XDR process telemetry, parent-child process relationships, command-line activity and legitimate Windows tools being abused for malicious execution, persistence and lateral movement.
Lesson 107 β Hunting Playbook: Persistence Mechanisms
Learn how defenders hunt for attacker persistence by analysing Microsoft Defender XDR telemetry to detect scheduled tasks, services, startup folders, registry run keys, WMI event subscriptions and other techniques used to maintain long-term access to compromised systems.
Lesson 108 β Hunting Playbook: Risky Sign-ins
Learn how defenders hunt for risky sign-ins by analysing Microsoft Entra ID risk detections, Microsoft Defender XDR identity telemetry, authentication patterns, user behaviour and Conditional Access signals to identify compromised accounts and suspicious access attempts.
Lesson 109 β Hunting Playbook: Insider Threats
Learn how defenders hunt for insider threats by analysing Microsoft Defender XDR identity, endpoint and Microsoft 365 telemetry to identify unusual user behaviour, abnormal file access, privileged account misuse, suspicious data movement and indicators of malicious or compromised insider activity.
Lesson 110 β Hunting Playbook: Ransomware
Learn how defenders hunt for ransomware by analysing Microsoft Defender XDR endpoint, identity and file telemetry to detect encryption activity, privilege escalation, lateral movement, malicious processes and attacker behaviour before, during and after a ransomware attack.
Learning Path 10 β Incident Response WorkflowsComplete end-to-end investigation workflows that show how analysts respond to real security incidents, collect evidence, validate user activity, contain threats and close incidents using Microsoft Defender XDR telemetry.
Lesson 111 β Incident Response Workflow: Phishing Investigation
Learn how defenders investigate a phishing incident from the initial alert through to containment by analysing Microsoft Defender XDR email, identity, endpoint and Safe Links telemetry to determine delivery, user interaction, compromise and remediation.
Lesson 112 β Incident Response Workflow: Business Email Compromise
Learn how defenders investigate a Business Email Compromise (BEC) incident by analysing Microsoft Defender XDR email, identity and mailbox telemetry to identify unauthorised access, fraudulent email activity, mailbox manipulation, financial fraud indicators and post-compromise attacker behaviour.
Lesson 113 β Incident Response Workflow: Compromised User Account
Learn how defenders investigate a compromised user account by analysing Microsoft Defender XDR identity, endpoint and cloud telemetry to identify suspicious authentication activity, privilege escalation, attacker persistence, lateral movement and post-compromise behaviour.
Lesson 115 β Incident Response Workflow: Ransomware Incident
Learn how defenders investigate a ransomware incident by correlating Microsoft Defender XDR endpoint, identity, file and network telemetry to reconstruct the attack timeline, identify patient zero, determine the blast radius, contain the threat and support recovery activities.
Lesson 116 β Incident Response Workflow: Insider Threat Investigation
Learn how defenders investigate a suspected insider threat by analysing Microsoft Defender XDR identity, endpoint, cloud and file telemetry to identify unusual user behaviour, privileged access misuse, abnormal data access, policy violations and potential malicious or compromised insider activity.
Lesson 117 β Incident Response Workflow: Data Exfiltration
Learn how defenders investigate suspected data exfiltration by analysing Microsoft Defender XDR endpoint, identity, cloud and network telemetry to identify sensitive data access, large file transfers, cloud uploads, external sharing activity and potential data theft.
Lesson 118 β Incident Response Workflow: OAuth Application Compromise
Learn how defenders investigate a malicious OAuth application compromise by analysing Microsoft Defender XDR identity, cloud and Microsoft Entra ID telemetry to identify unauthorised application consent, delegated permissions, token abuse, persistent access and attacker activity across Microsoft 365 services.
Lesson 119 β Incident Response Workflow: Cloud Identity Attack
Learn how defenders investigate a cloud identity attack by analysing Microsoft Defender XDR identity, Microsoft Entra ID and cloud telemetry to identify suspicious authentication activity, privilege escalation, token abuse, Conditional Access bypass attempts and attacker movement across Microsoft 365 services.
Lesson 120 β Incident Response Workflow: Full Microsoft Defender XDR Investigation
Learn how defenders conduct a complete Microsoft Defender XDR investigation by correlating identity, endpoint, email, cloud and network telemetry to reconstruct the attack timeline, identify the initial compromise, determine the blast radius, contain the threat and document the incident from start to finish.
Lesson 122 β Advanced KQL: Working with Dynamic Data
Learn how security analysts work with dynamic data in KQL by exploring JSON objects, arrays and nested Microsoft Defender XDR telemetry using functions such as parse_json(), mv-expand, bag_unpack() and property accessors to extract valuable investigation evidence.
Lesson 123 β Advanced KQL: Mastering mv-expand
Learn how security analysts use mv-expand to expand arrays and multi-value fields within Microsoft Defender XDR telemetry, making it easier to analyse authentication details, alert evidence, entities and other complex datasets stored as dynamic objects.
Lesson 124 β Advanced KQL: Optimising Query Performance
Learn how to write faster, more scalable KQL by reducing unnecessary data processing, optimising joins, filtering early, minimising expensive operations and improving query efficiency across large Microsoft Defender XDR environments.
Lesson 125 β Advanced KQL: Building Reusable KQL Functions
Learn how security analysts create reusable KQL functions to standardise threat hunting, simplify complex queries, reduce duplicated logic and build scalable investigation workflows across Microsoft Defender XDR and Microsoft Sentinel.
Lesson 126 β Advanced KQL: Advanced parse_json()
Learn how security analysts use parse_json() to extract, navigate and analyse nested JSON objects within Microsoft Defender XDR telemetry, transforming complex dynamic data into meaningful investigation evidence.
Lesson 128 β Advanced KQL: Advanced Time Series Analysis
Learn how security analysts use advanced time series analysis in KQL to identify trends, detect anomalies, baseline normal behaviour and uncover suspicious activity across Microsoft Defender XDR telemetry using powerful time-based analytics.
Lesson 130 β Advanced KQL: Building a Complete Hunting Workbook
Learn how security analysts combine advanced KQL techniques to build a complete Microsoft Defender XDR hunting workbook, correlating identity, endpoint, email and cloud telemetry into a structured investigation framework for enterprise-scale threat hunting.
Agent Foskett Academy will continue expanding into practical Microsoft Defender XDR and Sentinel investigations, helping defenders build real-world KQL investigation skills step by step.
π Advanced KQL Series Complete
Congratulations! You have now completed all 130 Agent Foskett Academy lessons, progressing from KQL fundamentals through to advanced Microsoft Defender XDR threat hunting, enterprise investigations and complete hunting workbooks. Stay tuned as the Academy continues to grow with new investigation playbooks, Microsoft security technologies and real-world cyber defence content.
Your first KQL idea
A KQL query usually starts with a table, then narrows the result set using filters. This simple example starts with EmailEvents and asks: show me recent email activity from the last 24 hours.
Start with a tableEmailEvents tells Defender XDR which email telemetry source you want to investigate.
Filter the time windowThe where line narrows the query to recent data so you are not searching everything at once.
Project useful columnsProject helps you choose only the fields that matter for the investigation.
How to think in KQL
A good KQL query starts with a good investigation question. Before writing anything, ask what you are trying to prove, disprove or understand.
What happened?Start with the event. Was it an email, sign-in, process, URL click, alert or configuration change?
Who or what was involved?Pivot on the user, device, sender, IP address, URL, process name or message ID.
Does the behaviour make sense?The most important question is often not whether something happened, but whether it fits the environment.
Beginner topics coming next
The Academy can grow into a full KQL learning series, with each lesson becoming its own indexable page and linking back into real Agent Foskett investigations.
KQL FoundationsWhat is KQL? β’ where β’ project β’ summarize β’ order by β’ contains β’ has β’ in β’ time filters
Every Academy lesson should connect back to practical investigations. That is what makes the learning useful: syntax connected to real security outcomes.
Email investigationsUse KQL to investigate spoofed senders, DMARC failures, delivery actions, suspicious subjects and URL clicks.
Identity investigationsUse KQL to review sign-ins, MFA behaviour, session reuse, risky locations and authentication patterns.
Endpoint investigationsUse KQL to hunt process execution, suspicious command lines, LOLBins, network connections and device timelines.
The logs already know the story. Agent Foskett Academy helps investigators learn how to ask the right questions inside Microsoft telemetry.
KQL becomes powerful when it stops being a language you memorise and becomes a way of thinking.
Start with one question. Choose the right table. Filter the noise. Project the useful fields. Follow the evidence.
That is how investigations begin.
Agent Foskett Academy exists to help defenders learn KQL through real Microsoft security stories.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, Entra ID, endpoint activity, email threats, KQL hunting and practical security operations workflows.
Agent Foskett mindset
The question is not only: βCan I write the query?β
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
Microsoft Sentinel Academy lessons now live
Agent Foskett Academy now includes published Microsoft Sentinel lessons covering what Microsoft Sentinel is and how Microsoft Sentinel compares with Microsoft Defender XDR.
Agent Foskett Academy
Agent Foskett Academy helps analysts, engineers, students and defenders learn KQL through practical Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Microsoft security investigations.
Learn KQL for Microsoft Defender XDR
GEMXIT provides practical KQL learning content covering EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents, SigninLogs, AuditLogs, Microsoft Defender Advanced Hunting and Sentinel investigations.
KQL Threat Hunting Training
Learn how to write KQL queries, understand Microsoft security telemetry, filter investigation data, project useful fields, review suspicious activity and think like a threat hunter.
Agent Foskett Academy Lessons
Agent Foskett Academy includes beginner KQL lessons covering what KQL is, how to run your first KQL query, how to understand Microsoft security tables and how to filter investigation results.