Agent Foskett Academy • KQL Learning Path • 130 Lessons

Agent Foskett KQL Academy

This is the dedicated home for the complete Agent Foskett KQL learning path.

Across 130 structured lessons, analysts learn how to use Kusto Query Language to investigate Microsoft Defender XDR telemetry, build timelines, correlate evidence, hunt across identity, email, endpoint and cloud data, and design enterprise-grade hunting workflows.

This page is different from the main Academy portal. The portal introduces every Agent Foskett academy. This page focuses only on practical KQL, Defender XDR investigations and Microsoft security threat hunting.

130Published KQL lessons
10Structured learning paths
XDREmail, identity, endpoint and cloud telemetry
KQLFrom foundations to enterprise hunting
Agent Foskett KQL Academy for Microsoft Defender XDR threat hunting
KQL Academy focus

Learn KQL as an investigation skill, not just a query language. Every module connects syntax to real Microsoft security telemetry.

Defender XDR advanced hunting
Sentinel-style investigation thinking
Enterprise hunting workflows
🎓 A complete KQL course, not a coming soon page.
The KQL Academy is the flagship Agent Foskett learning path, with 130 lessons already available and linked from the main Academy catalogue.
Start Lesson 1 →

KQL Academy learning paths

Use this hub to understand the full KQL journey. Each learning path maps to a major stage in the existing 130-lesson Academy catalogue.
Lessons 1–11
KQL FoundationsStart with what KQL is, your first query, security tables, filtering, useful columns, sorting, summarize, bin(), distinct and top.
Lessons 12–17
Investigation WorkflowMove from single queries into EmailEvents, UrlClickEvents, joins, investigation timelines, let statements and reusable parameters.
Lessons 18–32
KQL Operators & FunctionsLearn in, has_any, contains_cs, startswith, regex, parse_json, extract, mv-expand, mv-apply, extend, case(), iff() and text normalisation.
Lessons 33–50
Defender XDR TablesExplore endpoint, identity, alert, incident, behaviour, device and cloud telemetry inside Microsoft Defender XDR.
Lessons 51–72
Email Security InvestigationsInvestigate NetworkMessageId, AuthenticationDetails, sender fields, delivery outcomes, ThreatTypes, BCL, recipients and message identifiers.
Lessons 73–80
URL Clicks & Phishing CorrelationTrace phishing activity from email delivery through Safe Links clicks, URL chains, endpoint process activity and network telemetry.
Lessons 81–90
Attack ScenariosApply KQL to lateral movement, PowerShell attacks, ransomware behaviour, LOLBins, credential theft, persistence, IOC hunts and BEC.
Lessons 91–100
Advanced Hunting TechniquesBuild stronger hunts with advanced joins, reusable logic, dynamic data, performance tuning, arg_max(), make_set(), mv-expand, mv-apply and regex.
Lessons 101–110
Hunting Playbook SeriesUse KQL to hunt impossible travel, credential theft, OAuth abuse, risky sign-ins, PowerShell, LOLBins, persistence, insider threats and ransomware.
Lessons 111–120
Incident Response WorkflowsBring KQL into full response workflows for phishing, BEC, compromised accounts, malware, ransomware, insider threat, exfiltration and OAuth compromise.
Lessons 121–130
Advanced KQL CapstoneMaster joins, dynamic data, mv-expand, query performance, reusable functions, parse_json(), regex, time series analysis, enterprise hunts and complete workbooks.
Capstone
Complete Hunting WorkbookThe final KQL lesson brings the course together into a structured enterprise hunting workbook for Microsoft Defender XDR investigations.

What makes this KQL Academy different?

This page is intentionally focused on KQL and Microsoft security investigation skills. It is not a duplicate of the main Academy portal.
Investigation-first KQLEvery module connects syntax to a security question: what happened, who was involved, where did it spread and what evidence proves it?
Defender XDR focusedThe lessons use Microsoft Defender XDR tables such as EmailEvents, DeviceProcessEvents, UrlClickEvents, AlertInfo, AlertEvidence and CloudAppEvents.
Built for analystsThe course is designed for SOC analysts, Microsoft security engineers, administrators, trainers and defenders who want practical hunting skills.

Explore other Agent Foskett academies

The KQL Academy is the completed flagship learning path. These newer academy hubs introduce the next phase of Agent Foskett training.
Microsoft Sentinel AcademyLearn SIEM concepts, data connectors, analytics rules, automation, hunting, workbooks and incident management.
Microsoft Entra Security AcademyExplore identity protection, Conditional Access, PIM, authentication methods, risky sign-ins and Zero Trust identity security.
Defender for Endpoint AcademyLearn endpoint protection, device investigations, ASR, TVM, Live Response, isolation, EDR and custom detections.
Defender for Cloud AcademyExplore cloud posture management, workload protection, secure score, Azure recommendations, containers and cloud threat detection.
Security Copilot AcademyPrepare for AI-assisted security investigations, prompt engineering, incident summaries and Microsoft Security Copilot workflows.
Main Academy PortalReturn to the complete Agent Foskett Academy hub covering all Microsoft security learning paths.

Final thought

KQL is how Microsoft security analysts turn telemetry into evidence.
The logs already knew.The KQL Academy teaches analysts how to ask better questions of Microsoft security data, follow evidence across tables and turn millions of events into a clear investigation story.

Agent Foskett KQL Academy

Agent Foskett KQL Academy is a complete 130 lesson Microsoft security learning path for Kusto Query Language, Microsoft Defender XDR, Microsoft Sentinel, threat hunting and incident response investigations.

Learn KQL for Microsoft Defender XDR

Learn practical KQL for EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents, IdentityLogonEvents, AlertInfo, AlertEvidence, CloudAppEvents and enterprise hunting workflows.

KQL threat hunting learning path

This KQL learning path covers beginner KQL, investigation workflows, Defender XDR tables, email security, phishing correlation, attack scenarios, hunting playbooks, incident response and advanced enterprise hunting workbooks.