This documentation is about Kusto Query Language (KQL) with a primary focus on targeting the Security Analysts audience. KQL can be used by Security Analysts to search for security events at a large scale, which makes it very useful to have a basic understanding of it.
Cloud & Security Administrators who manage Azure AD & Office365 can use this document as well to understand on how to search for different activities in their Cloud environment. We will cover a few examples such as finding activities in Azure AD, Exchange & SharePoint – Online.
The purpose of this documentation is to provide a basic understanding on how the structure of KQL works with ”hands-on” examples. It walks you through the different steps on searching and analyzing different datasets, and last, but not least. There is a homework section at the end of this document to make sure that you also practice it hands-on. There is nothing ”advanced” here, because the focus is on using common KQL operators in practice, and not the rare ones. That you might only use once a while.
