Agent Foskett Academy • Lesson 1 • KQL Foundations
What is KQL?
KQL stands for Kusto Query Language.
It is the language used across Microsoft security platforms to search, filter and investigate telemetry.
Inside Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Azure Log Analytics, KQL helps defenders investigate suspicious activity, follow attacker behaviour and understand what the logs are really saying.
KQL is not just query syntax.
It is how investigators ask better questions of Microsoft security data.
Lesson overview
Learn what KQL is, where it appears across Microsoft security tools and why it matters for real-world defenders.
Plain-English KQL introduction
Where KQL appears in Microsoft security
Why KQL matters for investigations
What does KQL actually do?
Think of KQL as a search language for security telemetry. Instead of searching the internet like Google, you are searching security events, sign-ins, emails, devices, alerts, URL clicks and cloud activity.
Search the logsKQL helps you search large amounts of Microsoft security data quickly, without manually opening every alert or event.
Filter the noiseSecurity telemetry can be noisy. KQL helps you narrow the data to the users, devices, timestamps, domains or actions that matter.
Follow the evidenceKQL lets defenders pivot through related activity and understand what happened, who was involved and whether the behaviour makes sense.
Where do defenders use KQL?
KQL appears across Microsoft security and monitoring tools. If you work with Defender, Sentinel, Entra ID logs or Azure monitoring, you will eventually meet KQL.
Microsoft Defender XDRAdvanced Hunting uses KQL to investigate email, endpoint, identity and cloud activity across Microsoft security tables.
Microsoft SentinelSentinel uses KQL for SIEM investigations, analytics rules, threat hunting, workbooks, incidents and log analysis.
Azure Log AnalyticsAzure Monitor and Log Analytics use KQL to query application, infrastructure, identity and platform telemetry.
Plain-English example
A defender might use KQL to ask questions like these:
Which emails failed DMARC today?This could help investigate spoofed sender domains and authentication failures in Microsoft Defender XDR.
Which users failed MFA repeatedly?This could help identify password spray activity, account targeting or authentication friction.
Which devices launched PowerShell?This could help investigate suspicious scripts, living-off-the-land behaviour or post-compromise activity.
Your first KQL query
Every KQL investigation starts with asking a question. This simple query asks Microsoft Defender XDR: show me 10 email events.
- 1
- 2
EmailEvents | take 10
EmailEventsThis tells Defender XDR which telemetry table you want to search. In this case, email activity.
| take 10This tells Defender to return 10 rows from the table so you can quickly see what the data looks like.
Start simpleMost investigations begin with a small query, then expand as the evidence becomes clearer.
Understanding the pipe symbol
The pipe symbol | is one of the most important parts of KQL. It means: take the results from the previous step and do something else with them.
- 1
- 2
EmailEvents | where SenderFromDomain == "gmail.com"
Plain-English translation:
Show me email events, then only keep the ones from gmail.com.
Show me email events, then only keep the ones from gmail.com.
Why KQL matters for defenders
Dashboards are useful, but dashboards do not always explain the full story. KQL helps defenders move from passive monitoring to active investigation.
Dashboards show summariesKQL helps you inspect the events behind the dashboard and understand why something happened.
Attackers hide in normal activityModern attacks often look like normal sign-ins, trusted processes, allowed emails or expected cloud activity.
The logs already knowKQL gives defenders a way to ask better questions of the telemetry that already exists in the environment.
How to think in KQL
A good KQL query starts with a good investigation question. Before writing anything, ask what you are trying to prove, disprove or understand.
What happened?Was it an email, a sign-in, a process, a URL click, an alert or a configuration change?
Who or what was involved?Pivot on the user, device, sender, IP address, URL, process name, message ID or application.
Does the behaviour make sense?The most important question is often not whether something happened, but whether it fits the environment.
Common beginner KQL building blocks
You do not need to learn everything at once. Start with a few building blocks and practise asking simple investigation questions.
whereFilters the results. Example: only show events from the last 24 hours or from a specific sender domain.
projectChooses which columns to display. This helps remove clutter and focus on the useful fields.
order bySorts the results. Investigators often sort by timestamp so the newest or oldest activity appears first.
What KQL is not
KQL can look technical at first, but it does not need to be intimidating. It is not about becoming a programmer. It is about learning how to investigate data clearly.
It is not only for developersSecurity analysts, administrators, engineers and defenders can all use KQL to understand Microsoft telemetry.
It is not memorisationThe goal is not to memorise every command. The goal is to understand the question you are asking.
It is not only advanced huntingKQL appears across Defender XDR, Sentinel, Log Analytics, Azure Monitor and other Microsoft investigation workflows.
Next lesson coming soon
The next Agent Foskett Academy lesson will build on this foundation and show how to write your first practical KQL query using time filters, columns and simple investigation logic.
Lesson 2 — Your First KQL QueryLearn how to start with a table, filter by time, choose useful columns and understand what each line of a simple KQL query does.
Lesson 3 — Microsoft Security TablesUnderstand EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents and SigninLogs before hunting across them.
Continue learning with Agent Foskett Academy, Microsoft Defender KQL Threat Hunting Guide, EmailEvents KQL Guide, KQL Email Spoofing, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD