Agent Foskett Academy β€’ Learn KQL β€’ Microsoft Defender XDR

Agent Foskett Academy

KQL is not just query syntax.

It is how investigators ask questions of telemetry.

Inside Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Exchange Online, the logs are constantly telling a story. The challenge is learning how to read that story, narrow the noise and follow the evidence.

Agent Foskett Academy was built to help analysts, engineers, students and defenders learn practical KQL through real-world investigations, Microsoft security telemetry and genuine threat hunting workflows.

This is not about memorising commands. It is about learning how to think like an investigator.

KQL Academy Master Microsoft Kusto Query Language through practical investigations
Sentinel Academy Build SIEM, SOAR and SOC skills with Microsoft Sentinel
Microsoft Security Defender XDR, Entra ID, Exchange Online and Azure security
Real Investigations Every lesson is based on practical incident response and threat hunting
Agent Foskett Academy learning KQL through Microsoft Defender XDR investigations
Academy overview

Learn how to investigate Microsoft security telemetry using practical KQL examples, Defender XDR hunting, Sentinel investigations and real-world attack scenarios.

Learn practical KQL
Understand Microsoft telemetry
Think like a threat hunter
🧠 KQL is how investigators ask questions of data.
Agent Foskett Academy focuses on practical investigations, Defender XDR hunting, Sentinel SOC workflows and learning how to follow the evidence inside Microsoft telemetry.
Contact GEMXIT β†’

Explore the Agent Foskett Academy structure

The original KQL learning path remains below with all existing lesson tiles and URLs preserved. The new Academy structure is now underway, with Microsoft Sentinel live and dedicated future sections for Entra, Defender and Security Copilot.
Existing Academy lesson URLs have not been moved. The new folders provide a cleaner structure for future academies while preserving the current KQL lesson catalogue and its search visibility.
Microsoft Sentinel Academy is now live.
Published lessons: Lesson 1 β€” What is Microsoft Sentinel?  β€’  Lesson 2 β€” Microsoft Sentinel vs Microsoft Defender XDR
Coming next: Lesson 3 β€” Log Analytics Workspace Basics.

What is Agent Foskett Academy?

Agent Foskett Academy is a practical Microsoft security learning path for people who want to understand KQL, Defender XDR telemetry and real-world threat hunting. The aim is simple: help defenders move from staring at logs to asking better investigation questions.
Built for real investigations The lessons connect KQL syntax to real security questions across email, identity, endpoint and cloud telemetry.
Beginner friendly Start with the basics: tables, filters, timestamps, columns and reading your first KQL query without getting overwhelmed.
Investigator mindset The goal is not only to learn commands. The goal is to understand what the data is trying to tell you.
πŸ”

Browse the Academy by learning path

The Academy now contains over 130 lessons, so the learning path has been organised into clear modules. You can still search every lesson, but these pathways make it easier to start with the basics, focus on a specific investigation area, jump into Hunting Playbooks or follow complete Incident Response Workflows.
Lessons 1–11
Foundations Start with KQL basics, Microsoft security tables, filtering, sorting, projecting, summarising and building your first investigation workflow.
Lessons 12–17
Investigation Workflow Move from single queries into Defender XDR tables, joins, timelines, reusable evidence and investigation parameters.
Lessons 18–32
KQL Operators & Functions Learn multi-indicator searches, string matching, regex, dynamic JSON, mv-expand, mv-apply, extend, case, iff and normalisation.
Lessons 33–50
Defender XDR Tables Explore endpoint, identity, alert, incident and behaviour telemetry including Device*, Identity*, AlertInfo and SecurityIncident.
Lessons 51–72
Email Security Investigations Investigate NetworkMessageId, authentication results, sender fields, delivery outcomes, ThreatTypes, BCL, recipients and message identifiers.
Lessons 73–80
URL Clicks & Phishing Correlation Work through UrlClickEvents, URL chains, click-through behaviour and end-to-end phishing investigations across email, endpoint and network telemetry.
Lessons 81–90
Attack Scenarios Apply the telemetry to lateral movement, PowerShell, ransomware behaviour, LOLBins, credential theft, persistence, IOC hunts and BEC investigations.
Lessons 91–100
Advanced Hunting Techniques Finish with advanced joins, reusable hunting queries, dynamic data, performance tuning, arg_max(), make_set(), mv-expand, mv-apply and regex.
Lessons 101–110
Hunting Playbook Series Apply KQL and Defender XDR telemetry to real attack behaviours including impossible travel, credential theft, OAuth abuse, PowerShell, LOLBins, persistence and ransomware.
Lessons 111–120
Incident Response Workflows Bring the Academy together with complete analyst workflows for phishing, Business Email Compromise, compromised accounts, malware, ransomware and full Defender XDR investigations.
The lesson numbers have been kept exactly as they are. The Academy is now easier to navigate, but existing URLs, sitemap entries and internal links can continue to work without renumbering the course. New lessons now slot into the correct learning path rather than simply extending a long chronological list.

πŸŽ“ Academy lessons by learning path

Follow the lessons from start to finish, or jump into the learning path that matches the investigation skill you want to build next.
Learning Path 1 β€” Foundations KQL basics, Microsoft security tables, filtering, useful columns, sorting, summarising, time patterns, distinct values, top results and combining operators.
Lessons 1–11 Microsoft Defender XDR KQL threat hunting
Lesson 1 β€” What is KQL? Learn what Kusto Query Language is, where it is used inside Microsoft security platforms and why it matters for investigations.
Lesson 2 β€” Your First KQL Query Learn how to run your first KQL query, filter telemetry by time and start exploring Microsoft Defender XDR telemetry.
Lesson 3 β€” Understanding Microsoft Security Tables Learn the difference between EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents and SigninLogs inside Microsoft Defender XDR.
Lesson 4 β€” Filtering KQL Results Learn how to use where, contains, has, == and time filters to reduce noise and focus on suspicious activity inside Microsoft Defender XDR and Sentinel.
Lesson 5 β€” Choosing Useful Columns Learn how to use project to remove clutter, focus on important evidence and display only the fields that matter during Microsoft security investigations.
Lesson 6 β€” Sorting and Understanding Results Learn how to use order by, desc and asc to sort Microsoft security telemetry and understand investigation timelines more clearly.
Lesson 7 β€” Counting and Grouping with summarize Learn how to use summarize, count() and by to count events, group activity and identify patterns across Microsoft Defender XDR and Sentinel telemetry.
Lesson 8 β€” Finding Time Patterns with bin() Learn how to use bin() in KQL to group Microsoft Defender XDR and Sentinel telemetry into time ranges, helping defenders identify spikes, bursts and suspicious activity patterns.
Lesson 9 β€” Finding Unique Values with distinct Learn how to use distinct in KQL to identify unique users, IP addresses, domains, devices and suspicious values hidden inside Microsoft Defender XDR and Sentinel telemetry.
Lesson 10 β€” Using top to Find High-Volume Activity Learn how to use top in KQL to quickly identify the most active users, devices, IP addresses, senders and suspicious activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 11 β€” Combining KQL Operators into Investigations Learn how defenders combine where, project, summarize, bin(), distinct, top and order by into practical Microsoft Defender XDR and Sentinel investigation workflows.
Learning Path 2 β€” Investigation Workflow Core investigation workflows using EmailEvents, UrlClickEvents, joins, timelines, reusable evidence and investigation parameters.
Lessons 12–17 Microsoft Defender XDR KQL threat hunting
Lesson 12 β€” Investigating EmailEvents in Microsoft Defender XDR Learn how to use EmailEvents to investigate senders, recipients, subjects, delivery actions, NetworkMessageId, AuthenticationDetails and suspicious email activity inside Microsoft Defender XDR.
Lesson 13 β€” Investigating UrlClickEvents in Microsoft Defender XDR Learn how to use UrlClickEvents to investigate Safe Links clicks, suspicious URLs, user activity, ThreatTypes and phishing behaviour inside Microsoft Defender XDR.
Lesson 14 β€” Connecting Tables with join Learn how defenders use join to connect users, devices, sign-ins, email events, URL clicks and endpoint activity across multiple Microsoft security tables.
Lesson 15 β€” Building Investigation Timelines with KQL Learn how defenders build clear investigation timelines by ordering events, comparing timestamps and following activity across Microsoft security telemetry.
Lesson 16 β€” Using let Statements to Reuse Evidence Learn how defenders use let statements to create reusable evidence sets, keep KQL queries cleaner and build more structured Microsoft Defender XDR investigations.
Lesson 17 β€” Creating Investigation Parameters Learn how defenders create flexible KQL investigations using reusable parameters for users, devices, IP addresses, domains and time ranges.
Learning Path 3 β€” KQL Operators & Functions Multi-indicator searching, text matching, regex, parse, dynamic data, mv-expand, mv-apply, extend, case(), iff(), tostring() and text normalisation.
Lessons 18–32 Microsoft Defender XDR KQL threat hunting
Lesson 18 β€” Using in to Search Multiple Indicators Learn how defenders use the in operator to search for multiple users, IP addresses, devices, domains and other indicators across Microsoft Defender XDR and Sentinel telemetry.
Lesson 19 β€” Using has_any to Find Suspicious Text Learn how defenders use has_any to search for multiple suspicious words, domains, commands and indicators inside Microsoft Defender XDR and Sentinel telemetry.
Lesson 20 β€” Using contains_cs for Case-Sensitive Searches Learn how defenders use case-sensitive KQL searches to find exact text matches, suspicious commands, filenames and indicators without creating unnecessary noise.
Lesson 21 β€” Using startswith and endswith Learn how defenders use startswith and endswith to identify suspicious filenames, domains, email addresses, URLs and command-line activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 22 β€” Using matches regex for Pattern Matching Learn how defenders use matches regex to identify suspicious naming conventions, command-line patterns, file paths, domains, URLs and attacker techniques across Microsoft Defender XDR and Sentinel telemetry.
Lesson 23 β€” Using extract for Flexible Pattern Matching Learn how defenders use flexible pattern matching to extract usernames, domains, URLs, command-line arguments and structured evidence from Microsoft Defender XDR and Sentinel telemetry.
Lesson 24 β€” Expanding Multi-Value Data with mv-expand Learn how defenders use mv-expand to break apart arrays, lists and dynamic fields, allowing deeper analysis of Microsoft Defender XDR and Sentinel telemetry.
Lesson 25 β€” Working with Dynamic Data using parse_json() Learn how defenders use parse_json() to access nested values, investigate complex Microsoft Defender XDR telemetry and work with structured security data.
Lesson 26 β€” Extracting Evidence with extract() Learn how defenders use extract() with regular expressions to pull IP addresses, domains, ticket numbers, identifiers and hidden indicators from Microsoft Defender XDR and Sentinel telemetry.
Lesson 27 β€” Advanced Multi-Value Investigations with mv-apply Learn how defenders use mv-apply to work with arrays, nested values and multi-value telemetry while keeping investigation context inside Microsoft Defender XDR and Sentinel.
Lesson 28 β€” Creating New Evidence Fields with extend Learn how defenders use extend to create calculated fields, enrich evidence, normalise values and build more powerful Microsoft Defender XDR and Sentinel investigations.
Lesson 29 β€” Classifying Evidence with case() Learn how defenders use case() to classify events, label suspicious activity, score evidence and make Microsoft Defender XDR and Sentinel investigation results easier to understand.
Lesson 30 β€” Adding Conditional Logic with iff() Learn how defenders use iff() to create simple true-or-false investigation labels, flag suspicious activity and make Microsoft Defender XDR and Sentinel results easier to triage.
Lesson 31 β€” Converting Values with tostring() Learn how defenders use tostring() to convert dynamic values, normalise investigation fields and avoid datatype issues across Microsoft Defender XDR and Sentinel telemetry.
Lesson 32 β€” Normalising Text with tolower() and toupper() Learn how defenders use tolower() and toupper() to normalise usernames, domains, email addresses, filenames and command-line values before comparing investigation evidence.
Learning Path 4 β€” Defender XDR Tables Endpoint, identity, alert, incident and behaviour telemetry across Device*, Identity*, AlertInfo, AlertEvidence, SecurityIncident and timeline investigations.
Lessons 33–50 Microsoft Defender XDR KQL threat hunting
Lesson 33 β€” Investigating DeviceNetworkEvents in Microsoft Defender XDR Learn how defenders use DeviceNetworkEvents to investigate outbound connections, remote IPs, ports, domains and suspicious network activity inside Microsoft Defender XDR.
Lesson 34 β€” Investigating DeviceFileEvents in Microsoft Defender XDR Learn how defenders use DeviceFileEvents to investigate file creation, downloads, suspicious archives, scripts, malware payloads and file activity inside Microsoft Defender XDR.
Lesson 35 β€” Investigating DeviceProcessEvents in Microsoft Defender XDR Learn how defenders use DeviceProcessEvents to investigate process execution, command lines, parent-child relationships, suspicious scripts and endpoint activity inside Microsoft Defender XDR.
Lesson 36 β€” Investigating DeviceRegistryEvents in Microsoft Defender XDR Learn how defenders use DeviceRegistryEvents to investigate registry changes, persistence techniques, suspicious autoruns and endpoint modification activity inside Microsoft Defender XDR.
Lesson 37 β€” Investigating IdentityLogonEvents in Microsoft Defender XDR Learn how defenders use IdentityLogonEvents to investigate authentication activity, successful and failed logons, account access patterns, risky sign-ins and identity-based attack activity inside Microsoft Defender XDR.
Lesson 38 β€” Investigating IdentityDirectoryEvents in Microsoft Defender XDR Learn how defenders use IdentityDirectoryEvents to investigate group membership changes, account modifications, privileged role assignments and directory-based attack activity inside Microsoft Defender XDR.
Lesson 39 β€” Investigating AlertInfo in Microsoft Defender XDR Learn how defenders use AlertInfo to investigate Microsoft Defender XDR alerts, review alert metadata, severity, categories, detection sources and prioritise suspicious activity for deeper investigation.
Lesson 40 β€” Investigating AlertEvidence in Microsoft Defender XDR Learn how defenders use AlertEvidence to connect Microsoft Defender XDR alerts to the users, devices, files, processes, IP addresses, URLs and entities involved in an investigation.
Lesson 41 β€” Investigating DeviceInfo in Microsoft Defender XDR Learn how defenders use DeviceInfo to understand device inventory, operating systems, exposure context, logged-on users and endpoint details before pivoting into process, file, registry and network evidence.
Lesson 42 β€” Investigating DeviceEvents in Microsoft Defender XDR Learn how defenders use DeviceEvents to investigate additional endpoint activity, security controls, device actions and supporting events that do not always appear in process, file, registry or network tables.
Lesson 43 β€” Investigating DeviceLogonEvents in Microsoft Defender XDR Learn how defenders use DeviceLogonEvents to investigate local logons, remote interactive logons, failed authentication attempts, account usage and suspicious endpoint sign-in activity.
Lesson 44 β€” Investigating EmailAttachmentInfo in Microsoft Defender XDR Learn how defenders use EmailAttachmentInfo to investigate attachment names, file hashes, suspicious payloads, malware delivery and email-borne threats inside Microsoft Defender XDR.
Lesson 45 β€” Investigating EmailUrlInfo in Microsoft Defender XDR Learn how defenders use EmailUrlInfo to investigate URLs embedded in emails, malicious links, phishing campaigns, Safe Links activity and web-based attack techniques inside Microsoft Defender XDR.
Lesson 46 β€” Investigating CloudAppEvents: The User Passed MFA. The Attacker Still Got In. Learn how defenders use CloudAppEvents to investigate OAuth abuse, mailbox compromise, SharePoint access, OneDrive activity and cloud-based attack techniques inside Microsoft Defender XDR.
Lesson 47 β€” Investigating IdentityInfo: The Account Looked Normal. The Permissions Didn't. Learn how defenders use IdentityInfo to investigate user accounts, privileged roles, group memberships, departments, managers and identity context during Microsoft Defender XDR investigations.
Lesson 48 β€” Investigating SecurityIncident: Five Alerts. One Incident. Learn how defenders use SecurityIncident to investigate correlated alerts, incident severity, affected entities, attack timelines and complete attack stories inside Microsoft Defender XDR.
Lesson 49 β€” Investigating BehaviorEntities: The User Wasn't Suspicious. The Behaviour Was. Learn how defenders use BehaviorEntities to investigate unusual activity, behavioural analytics, risk indicators and suspicious patterns across Microsoft Defender XDR investigations.
Lesson 50 β€” The Timeline Told The Story Learn how defenders combine email, URL, identity, cloud, alert and incident telemetry to reconstruct a complete Microsoft Defender XDR investigation from initial access through to attacker activity.
Learning Path 5 β€” Email Security Investigations Email authentication, sender identity, delivery outcomes, ThreatTypes, DetectionMethods, AuthenticationDetails, BCL, recipients, subjects and message identifiers.
Lessons 51–72 Microsoft Defender XDR KQL threat hunting
Lesson 51 β€” Investigating NetworkMessageId in Microsoft Defender XDR Learn how defenders use NetworkMessageId to connect EmailEvents, UrlClickEvents, EmailAttachmentInfo and EmailUrlInfo together, allowing complete email investigations across Microsoft Defender XDR.
Lesson 52 β€” Investigating EmailAuthenticationResults in Microsoft Defender XDR Learn how defenders use EmailAuthenticationResults to investigate SPF, DKIM, DMARC and composite authentication outcomes, helping identify phishing, spoofing and email impersonation attacks in Microsoft Defender XDR.
Lesson 53 β€” Investigating SenderFromAddress vs SenderMailFromAddress in Microsoft Defender XDR Learn how defenders compare SenderFromAddress and SenderMailFromAddress to identify spoofing, phishing, impersonation attempts and misleading sender information during Microsoft Defender XDR investigations.
Lesson 54 β€” Investigating DeliveryLocation in Microsoft Defender XDR Learn how defenders use DeliveryLocation to determine whether messages reached the inbox, junk folder, quarantine, deleted items or another destination during Microsoft Defender XDR email investigations.
Lesson 55 β€” Investigating DeliveryAction in Microsoft Defender XDR Learn how defenders use DeliveryAction to understand what Microsoft 365 actually did with an email, including delivered, blocked, quarantined, redirected and other mail flow actions during Microsoft Defender XDR investigations.
Lesson 56 β€” Investigating ThreatTypes in Microsoft Defender XDR Learn how defenders use ThreatTypes to understand whether Microsoft classified messages as phishing, malware, spam, spoofing, bulk mail or other email threats during Microsoft Defender XDR investigations.
Lesson 57 β€” Investigating DetectionMethods in Microsoft Defender XDR Learn how defenders use DetectionMethods to understand how Microsoft identified, analysed and classified email threats, helping explain why messages were flagged as phishing, malware, spoofing, spam or other suspicious activity during Microsoft Defender XDR investigations.
Lesson 58 β€” Investigating EmailDirection in Microsoft Defender XDR Learn how defenders use EmailDirection to determine whether messages were inbound, outbound or internal, helping investigators understand attack paths, user activity, mail flow behaviour and potential security incidents during Microsoft Defender XDR investigations.
Lesson 59 β€” Investigating OrgLevelAction in Microsoft Defender XDR Learn how defenders use OrgLevelAction to understand what action Microsoft 365 organisational policies applied to suspicious email messages, helping explain whether messages were delivered, blocked, quarantined, redirected or otherwise handled during Microsoft Defender XDR investigations.
Lesson 60 β€” Investigating AuthenticationDetails in Microsoft Defender XDR Learn how defenders use AuthenticationDetails to investigate SPF, DKIM, DMARC and composite authentication results, helping determine whether email messages were genuinely sent from trusted domains or potentially involved spoofing, impersonation or phishing activity during Microsoft Defender XDR investigations.
Lesson 61 β€” Investigating SenderIPv4 in Microsoft Defender XDR Learn how defenders use SenderIPv4 to identify the originating IP address behind email messages, helping investigate phishing campaigns, spoofing attempts, suspicious infrastructure, sender reputation and malicious email activity during Microsoft Defender XDR investigations.
Lesson 62 β€” Investigating SenderIPv6 in Microsoft Defender XDR Learn how defenders use SenderIPv6 to identify the originating IPv6 infrastructure behind email messages, helping investigate phishing campaigns, spoofing attempts, sender reputation, suspicious mail servers and malicious email activity during Microsoft Defender XDR investigations.
Lesson 63 β€” Investigating SenderMailFromAddress in Microsoft Defender XDR Learn how defenders use SenderMailFromAddress to investigate the actual SMTP sender behind email messages, helping identify spoofing attempts, phishing attacks, mail flow anomalies and authentication issues during Microsoft Defender XDR investigations.
Lesson 64 β€” Investigating SenderMailFromDomain in Microsoft Defender XDR Learn how defenders use SenderMailFromDomain to investigate the SMTP domain used during email delivery, helping identify spoofing attempts, SPF alignment issues, phishing campaigns, domain impersonation and email authentication anomalies during Microsoft Defender XDR investigations.
Lesson 65 β€” Investigating BulkComplaintLevel (BCL) in Microsoft Defender XDR Learn how defenders use BulkComplaintLevel (BCL) to understand how Microsoft classifies newsletters, marketing campaigns and bulk email, helping investigate email reputation, spam filtering decisions, user complaints and message handling during Microsoft Defender XDR investigations.
Lesson 66 β€” Investigating CompositeAuthentication in Microsoft Defender XDR Learn how defenders use CompositeAuthentication to understand Microsoft's overall authentication verdict, helping investigate SPF, DKIM, DMARC alignment, spoofing attempts, phishing campaigns and email trust decisions during Microsoft Defender XDR investigations.
Lesson 67 β€” Investigating RecipientEmailAddress in Microsoft Defender XDR Learn how defenders use RecipientEmailAddress to identify who received suspicious messages, helping investigate phishing campaign reach, targeted users, email delivery activity and message distribution across Microsoft 365 during Microsoft Defender XDR investigations.
Lesson 68 β€” Investigating SenderFromDomain in Microsoft Defender XDR Learn how defenders use SenderFromDomain to investigate the visible sender domain presented to recipients, helping identify domain impersonation, phishing campaigns, trusted-domain abuse and suspicious email activity during Microsoft Defender XDR investigations.
Lesson 69 β€” Investigating SenderDisplayName in Microsoft Defender XDR Learn how defenders use SenderDisplayName to investigate display-name impersonation, executive spoofing, business email compromise (BEC), phishing campaigns and deceptive sender identities during Microsoft Defender XDR investigations.
Lesson 70 β€” Investigating Subject in Microsoft Defender XDR Learn how defenders use Subject to investigate phishing campaigns, malicious lures, invoice fraud, credential harvesting attempts and campaign clustering by analysing email subjects during Microsoft Defender XDR investigations.
Lesson 71 β€” Investigating InternetMessageId in Microsoft Defender XDR Learn how defenders use InternetMessageId to uniquely identify email messages across Microsoft Defender XDR and Exchange Online, helping correlate phishing reports, trace message delivery and connect related security events during Microsoft 365 investigations.
Lesson 72 β€” Investigating ReportId in Microsoft Defender XDR Learn how defenders use ReportId to correlate related email events, group investigation evidence and identify activity belonging to the same Microsoft Defender XDR investigation across multiple security tables.
Learning Path 6 β€” URL Clicks & Phishing Correlation UrlClickEvents, URL chains, click-through behaviour and complete phishing investigations that correlate email, endpoint and network evidence.
Lessons 73–80 Microsoft Defender XDR KQL threat hunting
Lesson 73 β€” Advanced UrlClickEvents Investigations in Microsoft Defender XDR Learn how defenders perform advanced investigations using UrlClickEvents to determine whether users clicked malicious links, correlate phishing emails, analyse Safe Links activity and build complete investigation timelines during Microsoft Defender XDR investigations.
Lesson 74 β€” Investigating UrlChain in Microsoft Defender XDR Learn how defenders use UrlChain to trace every redirect from the original clicked link to the final destination, helping uncover phishing infrastructure, malicious redirects and credential harvesting attacks during Microsoft Defender XDR investigations.
Lesson 75 β€” Investigating IsClickedThrough in Microsoft Defender XDR Learn how defenders use IsClickedThrough to determine whether users continued beyond Microsoft Defender Safe Links protection, helping investigate successful phishing attempts, risky user behaviour and potential credential compromise during Microsoft Defender XDR investigations.
Lesson 76 β€” Investigating ActionType in UrlClickEvents Learn how defenders use ActionType in UrlClickEvents to understand how Microsoft Defender handled URL clicks, helping investigate blocked, allowed and Safe Links-protected user activity during Microsoft Defender XDR investigations.
Lesson 77 β€” Correlating EmailEvents and UrlClickEvents in Microsoft Defender XDR Learn how defenders correlate EmailEvents and UrlClickEvents using KQL to build complete phishing investigation timelines, identify affected users, determine who clicked malicious links and understand how Microsoft Defender XDR records email delivery and user interaction.
Lesson 78 β€” Correlating EmailEvents with DeviceProcessEvents in Microsoft Defender XDR Learn how defenders correlate EmailEvents with DeviceProcessEvents using KQL to determine what executed on a device after a phishing email was delivered or an attachment was opened, helping identify malicious payload execution and endpoint compromise during Microsoft Defender XDR investigations.
Lesson 79 β€” Correlating EmailEvents with DeviceNetworkEvents in Microsoft Defender XDR Learn how defenders correlate EmailEvents with DeviceNetworkEvents using KQL to determine whether a phishing email resulted in outbound network activity, helping identify malicious domains, command-and-control communication, payload downloads and endpoint compromise during Microsoft Defender XDR investigations.
Lesson 80 β€” Building a Complete Phishing Investigation in Microsoft Defender XDR Learn how defenders combine EmailEvents, UrlClickEvents, DeviceProcessEvents and DeviceNetworkEvents to reconstruct an end-to-end phishing investigation, following an attack from email delivery through user interaction, endpoint execution and outbound network activity in Microsoft Defender XDR.
Learning Path 7 β€” Attack Scenarios Lateral movement, PowerShell attacks, ransomware behaviour, LOLBins, device timelines, credential theft, persistence, IOC hunting and BEC investigations.
Lessons 81–90 Microsoft Defender XDR KQL threat hunting
Lesson 81 β€” Investigating Lateral Movement in Microsoft Defender XDR Learn how defenders investigate lateral movement by tracking logons, remote connections, authentication activity and endpoint evidence to follow an attacker moving through the environment in Microsoft Defender XDR.
Lesson 82 β€” Investigating PowerShell Attacks in Microsoft Defender XDR Learn how defenders investigate malicious PowerShell activity by identifying encoded commands, suspicious execution, parent processes and endpoint evidence in Microsoft Defender XDR.
Lesson 83 β€” Investigating Ransomware Behaviour in Microsoft Defender XDR Learn how defenders investigate ransomware behaviour by identifying encryption activity, mass file changes, suspicious processes and attacker techniques in Microsoft Defender XDR.
Lesson 84 β€” Investigating Living Off The Land (LOLBins) in Microsoft Defender XDR Learn how defenders investigate Living Off The Land (LOLBins) techniques by identifying legitimate Windows tools abused by attackers to execute malicious activity while avoiding detection.
Lesson 85 β€” Building a Device Timeline in Microsoft Defender XDR Learn how defenders build a complete device timeline by correlating process, network, file and logon activity to reconstruct attacker behaviour in Microsoft Defender XDR.
Lesson 86 β€” Investigating Credential Theft in Microsoft Defender XDR Learn how defenders investigate credential theft by identifying suspicious authentication activity, stolen credentials and attacker techniques used to gain unauthorised access in Microsoft Defender XDR.
Lesson 87 β€” Investigating Persistence Techniques in Microsoft Defender XDR Learn how defenders investigate persistence techniques by identifying scheduled tasks, registry changes, services and other attacker methods used to maintain access in Microsoft Defender XDR.
Lesson 88 β€” Building an IOC Hunt in Microsoft Defender XDR Learn how defenders build an IOC hunt by identifying malicious files, IP addresses, domains, URLs and hashes across the environment using Microsoft Defender XDR.
Lesson 89 β€” Building an Incident Timeline in Microsoft Defender XDR Learn how defenders build a complete incident timeline by correlating identity, device, email and network activity to reconstruct an attack in Microsoft Defender XDR.
Lesson 90 β€” Investigating a Business Email Compromise (BEC) in Microsoft Defender XDR Learn how defenders investigate Business Email Compromise (BEC) by correlating email, identity and endpoint activity to uncover attacker actions in Microsoft Defender XDR.
Learning Path 8 β€” Advanced Hunting Techniques Advanced joins, reusable hunting queries, dynamic JSON, performance optimisation, arg_max(), make_set(), mv-expand, mv-apply, regex and reusable KQL patterns.
Lessons 91–100 Microsoft Defender XDR KQL threat hunting
Lesson 91 β€” Advanced join Techniques in KQL for Microsoft Defender XDR Learn how defenders use advanced join techniques to correlate data across multiple Microsoft Defender XDR tables and build more powerful threat hunting queries.
Lesson 92 β€” Using let Statements to Build Reusable Hunting Queries Learn how defenders use let statements in KQL to create reusable variables, simplify complex queries and build more efficient Microsoft Defender XDR threat hunting investigations.
Lesson 93 β€” Working with Dynamic Data and JSON in KQL Learn how defenders work with dynamic data and JSON in KQL to extract, parse and analyse complex Microsoft Defender XDR telemetry for advanced threat hunting.
Lesson 94 β€” Optimising KQL Queries for Performance Learn how defenders optimise KQL queries by reducing search scope, filtering efficiently and improving Microsoft Defender XDR threat hunting performance.
Lesson 95 β€” Using arg_max() in KQL Learn how defenders use arg_max() to return the most recent event in each group, making Microsoft Defender XDR investigations faster, cleaner and easier to interpret.
Lesson 96 β€” Using make_set() in KQL Learn how defenders use make_set() to build unique collections of users, devices, IP addresses, domains and other indicators, making Microsoft Defender XDR investigations easier to summarise and analyse.
Lesson 97 β€” Using mv-expand in KQL Learn how defenders use mv-expand to split arrays and multi-value fields into individual records, making Microsoft Defender XDR investigations easier to analyse and uncover hidden evidence.
Lesson 98 β€” Using mv-apply in KQL Learn how defenders use mv-apply to analyse multi-value fields with greater control, enabling advanced Microsoft Defender XDR threat hunting across arrays, nested objects and complex telemetry.
Lesson 99 β€” Using Regular Expressions (regex) in KQL Learn how defenders use regular expressions (regex) in KQL to identify suspicious patterns, extract hidden data and perform advanced Microsoft Defender XDR threat hunting across emails, URLs, command lines and log data.
Lesson 100 β€” Building Reusable Hunting Queries in KQL Learn how defenders build reusable KQL hunting queries using let statements, variables, reusable logic and modular techniques to create faster, more consistent Microsoft Defender XDR investigations.
Learning Path 9 β€” Hunting Playbook Series Practical Microsoft Defender XDR hunting playbooks for common attacker behaviours, from impossible travel and credential theft through to OAuth abuse, PowerShell, LOLBins, persistence, risky sign-ins, insider threats and ransomware.
Lessons 101–110 Threat hunting Microsoft Defender XDR
Lesson 101 β€” Hunting Playbook: Impossible Travel Learn how defenders hunt for impossible travel by correlating Microsoft Defender XDR and Microsoft Entra ID sign-in telemetry, IP addresses, locations and authentication activity to determine whether suspicious sign-ins represent legitimate travel or compromised credentials.
Lesson 102 β€” Hunting Playbook: Credential Theft Learn how defenders hunt for credential theft by analysing suspicious sign-ins, authentication behaviour, token usage, password activity and Microsoft Defender XDR identity telemetry to identify compromised accounts before attackers can move laterally.
Lesson 103 β€” Hunting Playbook: Malicious Inbox Rules Learn how defenders hunt for malicious inbox rules by investigating Microsoft Defender XDR and Exchange Online telemetry to detect hidden forwarding rules, suspicious mailbox persistence, message redirection and post-compromise attacker activity.
Lesson 104 β€” Hunting Playbook: OAuth Abuse Learn how defenders hunt for OAuth abuse by investigating suspicious application consent, delegated permissions, token usage, Microsoft Entra ID activity and Microsoft Defender XDR telemetry to detect attackers maintaining persistent access through malicious applications.
Lesson 105 β€” Hunting Playbook: PowerShell Abuse Learn how defenders hunt for malicious PowerShell activity by analysing Microsoft Defender XDR process events, command-line arguments, encoded commands and script execution to identify attacker reconnaissance, persistence and post-compromise behaviour.
Lesson 106 β€” Hunting Playbook: LOLBins Learn how defenders hunt for Living Off the Land Binaries by analysing Microsoft Defender XDR process telemetry, parent-child process relationships, command-line activity and legitimate Windows tools being abused for malicious execution, persistence and lateral movement.
Lesson 107 β€” Hunting Playbook: Persistence Mechanisms Learn how defenders hunt for attacker persistence by analysing Microsoft Defender XDR telemetry to detect scheduled tasks, services, startup folders, registry run keys, WMI event subscriptions and other techniques used to maintain long-term access to compromised systems.
Lesson 108 β€” Hunting Playbook: Risky Sign-ins Learn how defenders hunt for risky sign-ins by analysing Microsoft Entra ID risk detections, Microsoft Defender XDR identity telemetry, authentication patterns, user behaviour and Conditional Access signals to identify compromised accounts and suspicious access attempts.
Lesson 109 β€” Hunting Playbook: Insider Threats Learn how defenders hunt for insider threats by analysing Microsoft Defender XDR identity, endpoint and Microsoft 365 telemetry to identify unusual user behaviour, abnormal file access, privileged account misuse, suspicious data movement and indicators of malicious or compromised insider activity.
Lesson 110 β€” Hunting Playbook: Ransomware Learn how defenders hunt for ransomware by analysing Microsoft Defender XDR endpoint, identity and file telemetry to detect encryption activity, privilege escalation, lateral movement, malicious processes and attacker behaviour before, during and after a ransomware attack.
Learning Path 10 β€” Incident Response Workflows Complete end-to-end investigation workflows that show how analysts respond to real security incidents, collect evidence, validate user activity, contain threats and close incidents using Microsoft Defender XDR telemetry.
Lessons 111–120 Incident response Analyst workflows
Lesson 111 β€” Incident Response Workflow: Phishing Investigation Learn how defenders investigate a phishing incident from the initial alert through to containment by analysing Microsoft Defender XDR email, identity, endpoint and Safe Links telemetry to determine delivery, user interaction, compromise and remediation.
Lesson 112 β€” Incident Response Workflow: Business Email Compromise Learn how defenders investigate a Business Email Compromise (BEC) incident by analysing Microsoft Defender XDR email, identity and mailbox telemetry to identify unauthorised access, fraudulent email activity, mailbox manipulation, financial fraud indicators and post-compromise attacker behaviour.
Lesson 113 β€” Incident Response Workflow: Compromised User Account Learn how defenders investigate a compromised user account by analysing Microsoft Defender XDR identity, endpoint and cloud telemetry to identify suspicious authentication activity, privilege escalation, attacker persistence, lateral movement and post-compromise behaviour.
Lesson 114 β€” Incident Response Workflow: Malware Infection Learn how defenders investigate a malware infection by analysing Microsoft Defender XDR endpoint, process, file and network telemetry to identify the initial compromise, malicious execution, persistence mechanisms, lateral movement, attacker activity and effective containment strategies.
Lesson 115 β€” Incident Response Workflow: Ransomware Incident Learn how defenders investigate a ransomware incident by correlating Microsoft Defender XDR endpoint, identity, file and network telemetry to reconstruct the attack timeline, identify patient zero, determine the blast radius, contain the threat and support recovery activities.
Lesson 116 β€” Incident Response Workflow: Insider Threat Investigation Learn how defenders investigate a suspected insider threat by analysing Microsoft Defender XDR identity, endpoint, cloud and file telemetry to identify unusual user behaviour, privileged access misuse, abnormal data access, policy violations and potential malicious or compromised insider activity.
Lesson 117 β€” Incident Response Workflow: Data Exfiltration Learn how defenders investigate suspected data exfiltration by analysing Microsoft Defender XDR endpoint, identity, cloud and network telemetry to identify sensitive data access, large file transfers, cloud uploads, external sharing activity and potential data theft.
Lesson 118 β€” Incident Response Workflow: OAuth Application Compromise Learn how defenders investigate a malicious OAuth application compromise by analysing Microsoft Defender XDR identity, cloud and Microsoft Entra ID telemetry to identify unauthorised application consent, delegated permissions, token abuse, persistent access and attacker activity across Microsoft 365 services.
Lesson 119 β€” Incident Response Workflow: Cloud Identity Attack Learn how defenders investigate a cloud identity attack by analysing Microsoft Defender XDR identity, Microsoft Entra ID and cloud telemetry to identify suspicious authentication activity, privilege escalation, token abuse, Conditional Access bypass attempts and attacker movement across Microsoft 365 services.
Lesson 120 β€” Incident Response Workflow: Full Microsoft Defender XDR Investigation Learn how defenders conduct a complete Microsoft Defender XDR investigation by correlating identity, endpoint, email, cloud and network telemetry to reconstruct the attack timeline, identify the initial compromise, determine the blast radius, contain the threat and document the incident from start to finish.
Lesson 121 β€” Advanced KQL: Mastering Join Operations Learn how security analysts use advanced KQL join techniques to correlate Microsoft Defender XDR telemetry across multiple tables, build richer investigations, improve hunting accuracy and create efficient enterprise-scale queries.
Lesson 122 β€” Advanced KQL: Working with Dynamic Data Learn how security analysts work with dynamic data in KQL by exploring JSON objects, arrays and nested Microsoft Defender XDR telemetry using functions such as parse_json(), mv-expand, bag_unpack() and property accessors to extract valuable investigation evidence.
Lesson 123 β€” Advanced KQL: Mastering mv-expand Learn how security analysts use mv-expand to expand arrays and multi-value fields within Microsoft Defender XDR telemetry, making it easier to analyse authentication details, alert evidence, entities and other complex datasets stored as dynamic objects.
Lesson 124 β€” Advanced KQL: Optimising Query Performance Learn how to write faster, more scalable KQL by reducing unnecessary data processing, optimising joins, filtering early, minimising expensive operations and improving query efficiency across large Microsoft Defender XDR environments.
Lesson 125 β€” Advanced KQL: Building Reusable KQL Functions Learn how security analysts create reusable KQL functions to standardise threat hunting, simplify complex queries, reduce duplicated logic and build scalable investigation workflows across Microsoft Defender XDR and Microsoft Sentinel.
Lesson 126 β€” Advanced KQL: Advanced parse_json() Learn how security analysts use parse_json() to extract, navigate and analyse nested JSON objects within Microsoft Defender XDR telemetry, transforming complex dynamic data into meaningful investigation evidence.
Lesson 127 β€” Advanced KQL: Advanced Regular Expressions Learn how security analysts use advanced regular expressions to identify complex patterns, extract hidden indicators, detect suspicious activity and perform precision threat hunting across Microsoft Defender XDR telemetry.
Lesson 128 β€” Advanced KQL: Advanced Time Series Analysis Learn how security analysts use advanced time series analysis in KQL to identify trends, detect anomalies, baseline normal behaviour and uncover suspicious activity across Microsoft Defender XDR telemetry using powerful time-based analytics.
Lesson 129 β€” Advanced KQL: Building Enterprise Hunting Queries Learn how security analysts build enterprise-scale KQL hunting queries by correlating identity, endpoint, email and cloud telemetry, combining multiple Microsoft Defender XDR tables into powerful, scalable threat hunting investigations.
Lesson 130 β€” Advanced KQL: Building a Complete Hunting Workbook Learn how security analysts combine advanced KQL techniques to build a complete Microsoft Defender XDR hunting workbook, correlating identity, endpoint, email and cloud telemetry into a structured investigation framework for enterprise-scale threat hunting.

🚧 New lessons coming soon

Agent Foskett Academy will continue expanding into practical Microsoft Defender XDR and Sentinel investigations, helping defenders build real-world KQL investigation skills step by step.
πŸŽ‰ Advanced KQL Series Complete Congratulations! You have now completed all 130 Agent Foskett Academy lessons, progressing from KQL fundamentals through to advanced Microsoft Defender XDR threat hunting, enterprise investigations and complete hunting workbooks. Stay tuned as the Academy continues to grow with new investigation playbooks, Microsoft security technologies and real-world cyber defence content.

Your first KQL idea

A KQL query usually starts with a table, then narrows the result set using filters. This simple example starts with EmailEvents and asks: show me recent email activity from the last 24 hours.
first-email-events-query.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(24h)
| project Timestamp,
                            SenderFromAddress,
                            RecipientEmailAddress,
                            Subject,
                            DeliveryAction
| order by Timestamp desc
Start with a table EmailEvents tells Defender XDR which email telemetry source you want to investigate.
Filter the time window The where line narrows the query to recent data so you are not searching everything at once.
Project useful columns Project helps you choose only the fields that matter for the investigation.

How to think in KQL

A good KQL query starts with a good investigation question. Before writing anything, ask what you are trying to prove, disprove or understand.
What happened? Start with the event. Was it an email, sign-in, process, URL click, alert or configuration change?
Who or what was involved? Pivot on the user, device, sender, IP address, URL, process name or message ID.
Does the behaviour make sense? The most important question is often not whether something happened, but whether it fits the environment.

Beginner topics coming next

The Academy can grow into a full KQL learning series, with each lesson becoming its own indexable page and linking back into real Agent Foskett investigations.
KQL Foundations What is KQL? β€’ where β€’ project β€’ summarize β€’ order by β€’ contains β€’ has β€’ in β€’ time filters
Microsoft Security Tables EmailEvents β€’ UrlClickEvents β€’ DeviceProcessEvents β€’ DeviceNetworkEvents β€’ SigninLogs β€’ AuditLogs
Investigation Scenarios DMARC failures β€’ suspicious sign-ins β€’ impossible travel β€’ session hijacking β€’ strange processes β€’ risky URL clicks

Learn through real Agent Foskett investigations

Every Academy lesson should connect back to practical investigations. That is what makes the learning useful: syntax connected to real security outcomes.
Email investigations Use KQL to investigate spoofed senders, DMARC failures, delivery actions, suspicious subjects and URL clicks.
Identity investigations Use KQL to review sign-ins, MFA behaviour, session reuse, risky locations and authentication patterns.
Endpoint investigations Use KQL to hunt process execution, suspicious command lines, LOLBins, network connections and device timelines.
The logs already know the story.
Agent Foskett Academy helps investigators learn how to ask the right questions inside Microsoft telemetry.
Continue the investigation

Final thought

KQL becomes powerful when it stops being a language you memorise and becomes a way of thinking.

Start with one question. Choose the right table. Filter the noise. Project the useful fields. Follow the evidence.

That is how investigations begin.

Agent Foskett Academy exists to help defenders learn KQL through real Microsoft security stories.
At GEMXIT We help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, Entra ID, endpoint activity, email threats, KQL hunting and practical security operations workflows.
Agent Foskett mindset The question is not only: β€œCan I write the query?”

It is: β€œWhat question am I asking the data?”

Microsoft Sentinel Academy lessons now live

Agent Foskett Academy now includes published Microsoft Sentinel lessons covering what Microsoft Sentinel is and how Microsoft Sentinel compares with Microsoft Defender XDR.

Agent Foskett Academy

Agent Foskett Academy helps analysts, engineers, students and defenders learn KQL through practical Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Microsoft security investigations.

Learn KQL for Microsoft Defender XDR

GEMXIT provides practical KQL learning content covering EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents, SigninLogs, AuditLogs, Microsoft Defender Advanced Hunting and Sentinel investigations.

KQL Threat Hunting Training

Learn how to write KQL queries, understand Microsoft security telemetry, filter investigation data, project useful fields, review suspicious activity and think like a threat hunter.

Agent Foskett Academy Lessons

Agent Foskett Academy includes beginner KQL lessons covering what KQL is, how to run your first KQL query, how to understand Microsoft security tables and how to filter investigation results.

↑