awesome-kql-sentinel
A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel
Community contributions are most welcome! Check out our contribution guide today and submit a pull request with any adds/removes/changes to content!
Table Of Contents
Official Learn
- Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
- KQL - The Next Query Language You Need to Learn
- MustLearnKQL
- Tutorial: Use Kusto queries
- Write your first query with Kusto Query Language
Official Docs
- Built-in threat detection rules
- KQL quick reference
- Kusto Query Language in Microsoft Sentinel
- Microsoft Sentinel Docs
- Query best practices
- What's new in Microsoft Sentinel
Official Videos
- Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel
- Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises
- Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance
- Azure Sentinel Webinar: The Information Model: Understanding Normalization in Azure Sentinel
- Azure Sentinel Webinar: Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content
- Become a Notebooks Ninja – Getting Started with Jupyter Notebooks - Microsoft Sentinel Webinar
- Deploy and Monitor Azure Key Vault Honeytokens with Microsoft Sentinel
- Fusion ML Detections for Emerging Threats & Configuration UI
- KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy
- Latest Innovations for Microsoft's Cloud Native SIEM Recording - Microsoft Sentinel Webinar
- Microsoft Security Insights Podcast - Twitch
- Microsoft Sentinel Content Management
- M365 Defender - Kusto query language basics
- M365 Defender - Using Advanced Hunting
- Present and Future of EUBA
Official Announcements and Articles
- Advanced KQL Framework Workbook - Empowering you to become KQL-savvy
- Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution
- Get Hands-On KQL Practice with this Microsoft Sentinel Workbook
- How To Align Your Analytics With Time Windows In Azure Sentinel Using KQL (Kusto Query Language)
- Investigating Suspicious Azure Activity with Microsoft Sentinel
- Learning with the Microsoft Sentinel Training Lab
- Leveraging the Power of KQL in Incident Response
- Using External Data Sources To Enrich Network Logs Using Azure Storage And KQL
Official Repositories and Tools
Official Forums and Websites
- Microsoft Security Community - Youtube
- Microsoft Security Insights - Podcast
- Microsoft Sentinel Blog
- Microsoft Sentinel TechCommunity
Community
Links below are from community sources, websites, and channels.
Community Videos
- AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent
- Azure Sentinel Lab Series
- GrayHat 2020 - Blue Teaming with Kusto Query Language, KQL - Ashwin Patil
- Managing Microsoft Sentinel using GIT repositories
- Setting up your first Azure Sentinel environment in 50 minutes
- Using Azure Sentinel to protect Microsoft Teams
Community Podcasts
Community Books
Community Articles
- Azure Sentinel Syslog Workbook
- Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel
- How to Use Office 365 Audit Data with Microsoft Sentinel
- Hunting For Anomalies With Time-Series Analysis
- Hunting Log4j with Sentinel
- Keep an eye on your Azure AD guests with Microsoft Sentinel
- KQL Cheat Sheet
- Kusto Make-Series vs Summarize
- Log4j Incident Response
- Microsoft Sentinel and the power of functions
- Ollie, your personal Microsoft Sentinel assistant
- Set up Microsoft Sentinel as a single pane of glass for Microsoft 365 alerts
- Setting up a bidirectional sync between Sentinel and JIRA
- What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
- When does enabling Microsoft Sentinel make sense?
Community Tools and Websites
- Azure Cloud & AI Domain Blog
- Cloud, Systems Management, Automation
- FalconForce
- Kusto King - Kusto Knight Learning Track
- Learn Sentinel
- Managed Sentinel - Blog
- Microsoft Sentinel this Week
- SecureCloudBlog
Community Repositories
- alexverboon/MDATP/tree/master/AdvancedHunting (Advanced Hunting)
- ashwin-patil/blue-teaming-with-kql
- eshlomo1/Azure-Sentinel-4-SecOps
- FalconForceTeam/FalconFriday
- marcusbakker/KQL
- reprise99/Sentinel-Queries
- rod-trent/SentinelKQL
- scautomation/Azure-Sentinel-Syslog-Workbook
- wortell/KQL