Azure

Microsoft Sentinel KQL Recipes: 20+ Patterns You Can Use in SOC Operations

2026-05-24
NicheeLab Editorial Team

KQL (Kusto Query Language) is the de facto must-have skill for Microsoft Sentinel. Every Sentinel query, Hunting Query, Workbook, and Analytics Rule is written in KQL. This article organizes 20+ KQL recipes SOC analysts can put to work immediately, each with an explanation.

KQL Basic Syntax

KQL uses a SQL-like pipeline syntax (table | where ... | summarize ...) optimized for log analysis and threat hunting.

Common Operators

  • project: column selection
  • extend: add columns (derived)
  • summarize: aggregation (count, sum, avg, dcount)
  • where: filter
  • join: join
  • union: vertical concat of tables
  • parse: string parsing
  • extract: regex extraction
  • mv-expand: array expansion
  • bin: time bucketing (bin(TimeGenerated, 1h))
  • ago: past time (ago(7d))
  • now: current time

Recipe 1: Failed Sign-in Detection (Brute Force)

Detect 10+ failed sign-ins from the same user + IP in the past hour.

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0
| summarize FailedCount = count() by UserPrincipalName, IPAddress
| where FailedCount > 10
| order by FailedCount desc

Recipe 2: Password Spray Success Detection

Detect accounts with many failures followed by a success — the classic password spray success pattern.

SigninLogs
| where TimeGenerated > ago(1h)
| summarize FailedCount = countif(ResultType != 0),
            SuccessCount = countif(ResultType == 0)
            by UserPrincipalName, IPAddress
| where FailedCount > 5 and SuccessCount > 0

Recipe 3: Impossible Travel (Sign-ins from Distant Locations in a Short Window)

Detect sign-ins from multiple geographic locations within 24 hours.

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| summarize CountryList = make_set(Country),
            IPList = make_set(IPAddress),
            TimeList = make_list(TimeGenerated)
            by UserPrincipalName
| where array_length(CountryList) > 1

Recipe 4: Admin Role Assignment Detection

Detect assignments of privileged roles (Global Admin, Privileged Role Admin).

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| where RoleName in ("Global Administrator", "Privileged Role Administrator")
| project TimeGenerated, AddedUser, RoleName,
          InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)

Recipe 5: Conditional Access Block Analysis

Aggregate sign-ins blocked by Conditional Access.

SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| extend BlockedPolicy = tostring(ConditionalAccessPolicies[0].displayName)
| summarize BlockedCount = count()
            by UserPrincipalName, BlockedPolicy, ResultDescription
| order by BlockedCount desc

Recipe 6: Defender for Cloud High Severity Alerts

SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertSeverity == "High"
| extend ResourceId = tostring(parse_json(ExtendedProperties).ResourceId)
| summarize HighAlerts = count() by ResourceId, AlertName
| order by HighAlerts desc

Recipe 7: Anomalous VM RDP / SSH Access

SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID == 4624
| where LogonType in (10, 7)  // RemoteInteractive, Unlock
| summarize LoginCount = count() by Account, IpAddress, Computer
| where LoginCount > 50
| order by LoginCount desc

Recipe 8: Anomalous Storage Account Access

StorageBlobLogs
| where TimeGenerated > ago(1d)
| where StatusCode == 403
| summarize ForbiddenCount = count()
            by CallerIpAddress, AccountName, OperationName
| where ForbiddenCount > 100
| order by ForbiddenCount desc

Recipe 9: Time-Series Trend (1-Hour Granularity)

SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != 0
| summarize FailedCount = count() by bin(TimeGenerated, 1h)
| render timechart

Recipe 10: Top 10 Attack Source IPs

SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType != 0
| summarize AttackCount = count(), Users = dcount(UserPrincipalName)
            by IPAddress
| where AttackCount > 100
| order by AttackCount desc
| take 10

MITRE ATT&CK Mapping

Sentinel Analytics Rules can be registered with MITRE ATT&CK Tactics and Techniques mapped to them.

MITRE TechniqueTacticSentinel Detection Example
T1110 Brute ForceCredential AccessMass failed sign-in detection in SigninLogs
T1078 Valid AccountsInitial Access / PersistenceAdmin sign-ins at unusual hours
T1098 Account ManipulationPersistenceAuditLogs Add owner to application
T1059 Command and ScriptingExecutionAnomalous PowerShell execution in SecurityEvent
T1486 Data Encrypted for ImpactImpact (Ransomware)Mass file encryption detection in SecurityEvent

Microsoft's official GitHub (Azure-Sentinel) publishes 300+ MITRE-mapped queries you can copy and paste directly.

Performance Optimization

  1. Always narrow the time range (where TimeGenerated > ago(7d)) — this alone reduces processed data by orders of magnitude
  2. Place where clauses early (filtering on the left side of the pipeline makes everything downstream lighter)
  3. Use project to keep only the columns you need (drop unnecessary columns early)
  4. Put summarize last (filter first, then aggregate)
  5. union + summarize over join — sometimes faster
  6. For parse, string operations are faster than regex
  7. Cap results with take / top
  8. Use materialize() to physicalize and reuse subqueries

Tune using the Time Range and Records Examined metrics in the Log Analytics Query Performance pane. Production Analytics Rules should target an execution time under 5 minutes.

Learning Resources

  • Kusto Query Language Documentation: Official KQL documentation
  • Azure-Sentinel GitHub: 300+ Detection / Hunting Queries
  • Microsoft Learn 'Write your first query with Kusto Query Language' module
  • KQL Cheat Sheet (official Microsoft PDF)
  • Sentinel Notebooks (Jupyter-based advanced analytics)

Related Certifications

Frequently Asked Questions

What is KQL?

KQL (Kusto Query Language) is a Microsoft-developed query language adopted as the standard across multiple Microsoft products including Azure Monitor Log Analytics, Microsoft Sentinel, Microsoft Defender Advanced Hunting, and Microsoft Fabric Real-Time Intelligence. Its SQL-like pipeline syntax (table | where ... | summarize ...) is optimized for log analysis, threat hunting, and metrics analysis. SQL veterans can ramp up in a few days, making KQL a de facto must-have skill for SOC analysts using Microsoft Sentinel, infrastructure engineers using Azure Monitor, and data engineers using Fabric Real-Time Intelligence.

What is the basic KQL syntax?

Basic pipeline syntax chains a table name and operators with `|`. Common operators: project (column selection), extend (add columns), summarize (aggregate), where (filter), join, union (vertical concat), parse (string parsing), extract (regex extraction), mv-expand (array expansion), bin (time bucketing), ago (past time), now (current time), make-set / make-list (array aggregation), dcount (distinct count). Example: `SigninLogs | where TimeGenerated > ago(1d) | where ResultType != 0 | summarize Count = count() by UserPrincipalName | top 10 by Count desc`. Think of it as SQL's SELECT/FROM/WHERE/GROUP BY turned into a pipeline. Once you adjust, KQL is often more intuitive and concise than SQL.

What KQL detects failed sign-ins in Sentinel?

Standard pattern: `SigninLogs | where TimeGenerated > ago(1h) | where ResultType != 0 | summarize FailedCount = count() by UserPrincipalName, IPAddress | where FailedCount > 10 | order by FailedCount desc`. This detects 10+ failed sign-ins from the same user + IP in the past hour. Variation for password spray success (failures followed by success): `SigninLogs | where TimeGenerated > ago(1h) | summarize FailedCount = countif(ResultType != 0), SuccessCount = countif(ResultType == 0) by UserPrincipalName, IPAddress | where FailedCount > 5 and SuccessCount > 0`. This is the foundational Brute Force detection pattern and the core query behind production Sentinel Analytics Rules.

What KQL detects Impossible Travel?

Impossible Travel (movement over a physically impossible distance in a short time) is a classic compromised-account pattern. KQL example: `SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | extend Location = Location | summarize LocationList = make_set(Location), IPList = make_set(IPAddress), TimeList = make_list(TimeGenerated) by UserPrincipalName | where array_length(LocationList) > 1 | mv-expand LocationList`. In real-world operations, teams typically ingest Microsoft Entra ID Identity Protection's built-in Impossible Travel risk into Sentinel and use custom KQL as a supplement. Wiring Identity Protection risk signals into Conditional Access is the Zero Trust best practice.

How does KQL map to MITRE ATT&CK?

Sentinel Analytics Rules can be registered with MITRE ATT&CK Tactics and Techniques mapped to them. Examples: T1110 Brute Force (Credential Access tactic) = 'mass failed sign-in detection in SigninLogs', T1078 Valid Accounts (Initial Access / Persistence) = 'admin sign-ins at unusual hours', T1098 Account Manipulation (Persistence) = 'AuditLogs Add owner to application detection'. Built-in Sentinel Hunting Queries carry MITRE ATT&CK tags so SOC analysts can search queries by tag. Microsoft's official GitHub (Azure-Sentinel) publishes 300+ MITRE-mapped queries you can copy and paste directly.

What KQL analyzes Defender for Cloud threats?

Analyzing Defender for Cloud's SecurityAlert table: SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount = count() by AlertSeverity, AlertName | order by AlertCount desc | top 20 by AlertCount. Filtering to High Severity only and aggregating by resource: SecurityAlert | where AlertSeverity == 'High' | extend ResourceId = tostring(parse_json(ExtendedProperties).ResourceId) | summarize HighAlerts = count() by ResourceId | order by HighAlerts desc. Pair this with Automation Rules so a High Severity alert triggers a Logic App Playbook (e.g., quarantine a VM, open a ticket, post to Slack). This is a key pattern for streamlining SOC operations.

What are the KQL performance optimization tips?

Key optimization techniques: 1) Always narrow the time range (where TimeGenerated > ago(7d)) — this alone reduces processed data by orders of magnitude. 2) Place where clauses early (filtering on the left side of the pipeline makes everything downstream lighter). 3) Use project to keep only the columns you need (drop unnecessary columns early). 4) Put summarize last (filter first, then aggregate). 5) union + summarize is sometimes faster than join. 6) String operations are faster than regex for parse. 7) Cap results with take / top. 8) Use materialize() to physicalize and reuse subqueries. Tune using the Time Range and Records Examined metrics in the Log Analytics Query Performance pane. Production Analytics Rules should target an execution time of under 5 minutes.

Which certifications are related?

SC-200 (Security Operations Analyst Associate) tests KQL deeply and is the flagship cert for this space. AZ-104 (Administrator) covers Azure Monitor + KQL fundamentals in Domain 5. SC-100 (Cybersecurity Architect Expert) covers SOC architecture design. DP-700 (Fabric Data Engineer) covers KQL in the Fabric Real-Time Intelligence (KQL Database) context. MS-102 (Microsoft 365 Administrator Expert) Domain 3 covers Defender XDR + Advanced Hunting (KQL-based). KQL is the standard across Microsoft's product line, making it essential for any engineer working with Azure, Microsoft 365, or Fabric.

Related Articles & Deep Dives

SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】

Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。

Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】

Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。

SC-900 完全ガイド|Microsoft Security, Compliance, and Identity Fundamentals 出題範囲・学習リソース・合格戦略

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) の完全ガイド。Zero Trust・Microsoft Entra・Defender スイート・Purview の出題範囲、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、SC-200 / SC-300 / SC-500 / SC-100 へのキャリアパスを日本語で網羅。

The technical content in this article is based on the Microsoft Sentinel Documentation and the Kusto Query Language Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft, Azure, Microsoft Sentinel, Microsoft Defender, and Microsoft Entra are trademarks of the Microsoft group of companies. MITRE ATT&CK is a registered trademark of The MITRE Corporation. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.