KQL (Kusto Query Language) is the de facto must-have skill for Microsoft Sentinel. Every Sentinel query, Hunting Query, Workbook, and Analytics Rule is written in KQL. This article organizes 20+ KQL recipes SOC analysts can put to work immediately, each with an explanation.
KQL uses a SQL-like pipeline syntax (table | where ... | summarize ...) optimized for log analysis and threat hunting.
Detect 10+ failed sign-ins from the same user + IP in the past hour.
SigninLogs | where TimeGenerated > ago(1h) | where ResultType != 0 | summarize FailedCount = count() by UserPrincipalName, IPAddress | where FailedCount > 10 | order by FailedCount desc
Detect accounts with many failures followed by a success — the classic password spray success pattern.
SigninLogs
| where TimeGenerated > ago(1h)
| summarize FailedCount = countif(ResultType != 0),
SuccessCount = countif(ResultType == 0)
by UserPrincipalName, IPAddress
| where FailedCount > 5 and SuccessCount > 0Detect sign-ins from multiple geographic locations within 24 hours.
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| summarize CountryList = make_set(Country),
IPList = make_set(IPAddress),
TimeList = make_list(TimeGenerated)
by UserPrincipalName
| where array_length(CountryList) > 1Detect assignments of privileged roles (Global Admin, Privileged Role Admin).
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| where RoleName in ("Global Administrator", "Privileged Role Administrator")
| project TimeGenerated, AddedUser, RoleName,
InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)Aggregate sign-ins blocked by Conditional Access.
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| extend BlockedPolicy = tostring(ConditionalAccessPolicies[0].displayName)
| summarize BlockedCount = count()
by UserPrincipalName, BlockedPolicy, ResultDescription
| order by BlockedCount descSecurityAlert | where TimeGenerated > ago(7d) | where AlertSeverity == "High" | extend ResourceId = tostring(parse_json(ExtendedProperties).ResourceId) | summarize HighAlerts = count() by ResourceId, AlertName | order by HighAlerts desc
SecurityEvent | where TimeGenerated > ago(1d) | where EventID == 4624 | where LogonType in (10, 7) // RemoteInteractive, Unlock | summarize LoginCount = count() by Account, IpAddress, Computer | where LoginCount > 50 | order by LoginCount desc
StorageBlobLogs
| where TimeGenerated > ago(1d)
| where StatusCode == 403
| summarize ForbiddenCount = count()
by CallerIpAddress, AccountName, OperationName
| where ForbiddenCount > 100
| order by ForbiddenCount descSigninLogs | where TimeGenerated > ago(1d) | where ResultType != 0 | summarize FailedCount = count() by bin(TimeGenerated, 1h) | render timechart
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType != 0
| summarize AttackCount = count(), Users = dcount(UserPrincipalName)
by IPAddress
| where AttackCount > 100
| order by AttackCount desc
| take 10Sentinel Analytics Rules can be registered with MITRE ATT&CK Tactics and Techniques mapped to them.
| MITRE Technique | Tactic | Sentinel Detection Example |
|---|---|---|
| T1110 Brute Force | Credential Access | Mass failed sign-in detection in SigninLogs |
| T1078 Valid Accounts | Initial Access / Persistence | Admin sign-ins at unusual hours |
| T1098 Account Manipulation | Persistence | AuditLogs Add owner to application |
| T1059 Command and Scripting | Execution | Anomalous PowerShell execution in SecurityEvent |
| T1486 Data Encrypted for Impact | Impact (Ransomware) | Mass file encryption detection in SecurityEvent |
Microsoft's official GitHub (Azure-Sentinel) publishes 300+ MITRE-mapped queries you can copy and paste directly.
Tune using the Time Range and Records Examined metrics in the Log Analytics Query Performance pane. Production Analytics Rules should target an execution time under 5 minutes.
What is KQL?
KQL (Kusto Query Language) is a Microsoft-developed query language adopted as the standard across multiple Microsoft products including Azure Monitor Log Analytics, Microsoft Sentinel, Microsoft Defender Advanced Hunting, and Microsoft Fabric Real-Time Intelligence. Its SQL-like pipeline syntax (table | where ... | summarize ...) is optimized for log analysis, threat hunting, and metrics analysis. SQL veterans can ramp up in a few days, making KQL a de facto must-have skill for SOC analysts using Microsoft Sentinel, infrastructure engineers using Azure Monitor, and data engineers using Fabric Real-Time Intelligence.
What is the basic KQL syntax?
Basic pipeline syntax chains a table name and operators with `|`. Common operators: project (column selection), extend (add columns), summarize (aggregate), where (filter), join, union (vertical concat), parse (string parsing), extract (regex extraction), mv-expand (array expansion), bin (time bucketing), ago (past time), now (current time), make-set / make-list (array aggregation), dcount (distinct count). Example: `SigninLogs | where TimeGenerated > ago(1d) | where ResultType != 0 | summarize Count = count() by UserPrincipalName | top 10 by Count desc`. Think of it as SQL's SELECT/FROM/WHERE/GROUP BY turned into a pipeline. Once you adjust, KQL is often more intuitive and concise than SQL.
What KQL detects failed sign-ins in Sentinel?
Standard pattern: `SigninLogs | where TimeGenerated > ago(1h) | where ResultType != 0 | summarize FailedCount = count() by UserPrincipalName, IPAddress | where FailedCount > 10 | order by FailedCount desc`. This detects 10+ failed sign-ins from the same user + IP in the past hour. Variation for password spray success (failures followed by success): `SigninLogs | where TimeGenerated > ago(1h) | summarize FailedCount = countif(ResultType != 0), SuccessCount = countif(ResultType == 0) by UserPrincipalName, IPAddress | where FailedCount > 5 and SuccessCount > 0`. This is the foundational Brute Force detection pattern and the core query behind production Sentinel Analytics Rules.
What KQL detects Impossible Travel?
Impossible Travel (movement over a physically impossible distance in a short time) is a classic compromised-account pattern. KQL example: `SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | extend Location = Location | summarize LocationList = make_set(Location), IPList = make_set(IPAddress), TimeList = make_list(TimeGenerated) by UserPrincipalName | where array_length(LocationList) > 1 | mv-expand LocationList`. In real-world operations, teams typically ingest Microsoft Entra ID Identity Protection's built-in Impossible Travel risk into Sentinel and use custom KQL as a supplement. Wiring Identity Protection risk signals into Conditional Access is the Zero Trust best practice.
How does KQL map to MITRE ATT&CK?
Sentinel Analytics Rules can be registered with MITRE ATT&CK Tactics and Techniques mapped to them. Examples: T1110 Brute Force (Credential Access tactic) = 'mass failed sign-in detection in SigninLogs', T1078 Valid Accounts (Initial Access / Persistence) = 'admin sign-ins at unusual hours', T1098 Account Manipulation (Persistence) = 'AuditLogs Add owner to application detection'. Built-in Sentinel Hunting Queries carry MITRE ATT&CK tags so SOC analysts can search queries by tag. Microsoft's official GitHub (Azure-Sentinel) publishes 300+ MITRE-mapped queries you can copy and paste directly.
What KQL analyzes Defender for Cloud threats?
Analyzing Defender for Cloud's SecurityAlert table: SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount = count() by AlertSeverity, AlertName | order by AlertCount desc | top 20 by AlertCount. Filtering to High Severity only and aggregating by resource: SecurityAlert | where AlertSeverity == 'High' | extend ResourceId = tostring(parse_json(ExtendedProperties).ResourceId) | summarize HighAlerts = count() by ResourceId | order by HighAlerts desc. Pair this with Automation Rules so a High Severity alert triggers a Logic App Playbook (e.g., quarantine a VM, open a ticket, post to Slack). This is a key pattern for streamlining SOC operations.
What are the KQL performance optimization tips?
Key optimization techniques: 1) Always narrow the time range (where TimeGenerated > ago(7d)) — this alone reduces processed data by orders of magnitude. 2) Place where clauses early (filtering on the left side of the pipeline makes everything downstream lighter). 3) Use project to keep only the columns you need (drop unnecessary columns early). 4) Put summarize last (filter first, then aggregate). 5) union + summarize is sometimes faster than join. 6) String operations are faster than regex for parse. 7) Cap results with take / top. 8) Use materialize() to physicalize and reuse subqueries. Tune using the Time Range and Records Examined metrics in the Log Analytics Query Performance pane. Production Analytics Rules should target an execution time of under 5 minutes.
Which certifications are related?
SC-200 (Security Operations Analyst Associate) tests KQL deeply and is the flagship cert for this space. AZ-104 (Administrator) covers Azure Monitor + KQL fundamentals in Domain 5. SC-100 (Cybersecurity Architect Expert) covers SOC architecture design. DP-700 (Fabric Data Engineer) covers KQL in the Fabric Real-Time Intelligence (KQL Database) context. MS-102 (Microsoft 365 Administrator Expert) Domain 3 covers Defender XDR + Advanced Hunting (KQL-based). KQL is the standard across Microsoft's product line, making it essential for any engineer working with Azure, Microsoft 365, or Fabric.
Related Articles & Deep Dives
SC-200 完全ガイド|Microsoft Security Operations Analyst Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Security Operations Analyst Associate (SC-200) の完全ガイド。4 ドメインの出題範囲、Microsoft Sentinel / Defender XDR (Endpoint / Cloud / Identity / Office 365 / Cloud Apps) の運用スキル、KQL Hunting Query、3-4 ヶ月の合格ロードマップ、SC-300 / SC-100 / SC-500 への展開ルートを日本語で網羅。
Microsoft Defender for Cloud 完全ガイド|CSPM・CWPP・Just-in-Time VM・マルチクラウド保護【2026 年版】
Microsoft Defender for Cloud (旧 Azure Security Center) の完全ガイド。Free Tier vs Defender Plans 選定、Microsoft Secure Score・Just-in-Time VM Access・Vulnerability Assessment・マルチクラウド (AWS/GCP) 対応・Microsoft Sentinel との連携・関連認定試験 (SC-200 / SC-100 / SC-500) を日本語で網羅。
Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】
Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。
SC-900 完全ガイド|Microsoft Security, Compliance, and Identity Fundamentals 出題範囲・学習リソース・合格戦略
Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) の完全ガイド。Zero Trust・Microsoft Entra・Defender スイート・Purview の出題範囲、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、SC-200 / SC-300 / SC-500 / SC-100 へのキャリアパスを日本語で網羅。
The technical content in this article is based on the Microsoft Sentinel Documentation and the Kusto Query Language Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft, Azure, Microsoft Sentinel, Microsoft Defender, and Microsoft Entra are trademarks of the Microsoft group of companies. MITRE ATT&CK is a registered trademark of The MITRE Corporation. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...