When it comes to learning a new technical skill, there’s nothing like a hands-on course to make it stick. That’s especially true for security analysts diving into KQL, Microsoft’s query language that powers tools like Sentinel and Defender. If you find yourself looking at some of the pioneers in Kusto’s KQL queries and are trying to make sense of them, BluRaven’s Hands-On KQL for Security Analysts promises to take you from curious beginner to confident query builder. I had the opportunity to spend some time with the course to see if it delivers on that promise. Spoiler: it’s worth talking about.
If you’ve spent any time in a Security Operations Center, you know that data is king. The ability to sift through logs, identify patterns, and extract meaningful insights quickly is one of the most valuable skills you can bring to the table. That’s where KQL comes in—it’s like a detective’s magnifying glass for the sprawling data stores in Microsoft’s ecosystem. But if you’ve ever tried to learn a query language on your own, you know it’s not exactly intuitive. That’s where this course comes into play. You see, I do not want to simply copy/pasta KQL queries from the likes of Steven Lim, Sergio Albea, Rod Trent, or Mark Morowczynski. While their contributions are certainly appreciated, I want to write in the language to suit my specific organization’s needs. My team needs to be able to craft a query on the fly, and be confident with the data that is returned.
I went into BluRaven’s course with some decent experience in KQL (thanks to other courses offered by BluRaven and other contributors to the community), but not enough to call myself a bona fide expert. What I was looking for was a practical approach to using the language in real-world scenarios, not just a lecture about syntax and structure. The course surprised me with its focus on doing rather than just listening. It’s not about memorizing commands or following along with pre-canned examples; it’s about solving problems with KQL. And let’s be real—solving problems is what we do as security analysts.
What sets this course apart is how it makes you feel like you’re already on the job, tackling genuine challenges. Each lesson builds on the last, weaving together concepts in a way that just makes sense. By the time you finish, you don’t just understand KQL—you’ve used it to unearth threats, create reports, and answer the kinds of questions that come up every day in a SOC. It’s practical, it’s relevant, and it’s built for people who don’t have time to waste.
So, does BluRaven’s Hands-On KQL for Security Analysts live up to the hype? Let’s dive into the details of what makes this course worth your time—and whether it could be the game-changer your workflow needs.
Course Structure
The course itself is divided into 13 sections or chapters and assumes zero knowledge in KQL or database management systems.
The first five are foundational sections, suitable for the new analyst that has never performed a KQL query before. The next six sections are intermediate level sections that build upon the foundational sections before. Finally, the course wraps up with a pair of modules that are more advanced in nature.
Foundational Topics and Sections
Getting Started
Every course needs to have a logical place where the learner can orient and begin the knowledge journey. Hands-On KQL for Security Analysts is no different. In this module, the learner will set up his or her connection to the lab environment which surprisingly is very robust and performant. The setup of the environment is straightforward and intuitive. It is designed to ease the learner into the world of KQL while making sure you are equipped with everything needed to hit the ground running. The section starts by walking the learner through the basics—setting up the environment, accessing Microsoft Sentinel or Log Analytics, and ensuring the learner has the right permissions. It is straightforward, no fluff, and you’ll be up and running before you know it.
What’s great here is how accessible everything feels. Even if you’re not deeply familiar with Microsoft’s tools, the instructions are clear and easy to follow. You’re not just setting up an environment; you’re getting a feel for the interface and starting to understand how it all connects. The lab doesn’t throw you into the deep end—it gives you a life raft while you get comfortable with the tools. Given my configuration of my workstation, I did need to reach out to support for access, and the solution was to use a throwaway email address on outlook.com.
By the end of this section, you’ve already run your first query. It is simple, sure, but it is a real KQL query against lab data. It’s like the course is saying, “See? You can do this.” You get a sense of how queries return data, what it looks like, and why formatting matters. It’s not just about syntax—it’s about starting to see how KQL fits into your day-to-day as a security analyst. It’s a smooth intro that gets you ready for the heavier lifting to come without making it feel like a chore.
Introduction to Databases and Logging
This section is designed to orient the learner to how databases work, including semi-structured ones like Excel spreadsheets. If the thought of running a query over multiple millions of records slightly intimidates you, by the end of this module you will have more confidence that there will not be a nuclear meltdown even for some of the most demanding Kusto queries. BluRaven discusses Row Store and Column Store databases as the two types of databases in scope for the training, with a nod to the Column Store database like Azure Data Explorer (ADX) provides. BluRaven uses an analogy to explain the concept of the database in terms that most general office workers can relate to, and then provides concrete examples that the learner can enter into ADX to begin getting a feel for KQL syntax. Again, there are basic queries referenced here; the advanced stuff is coming… believe me. Finally, you will get your initial look at using KQL in both a Microsoft Defender environment and a Microsoft Sentinel environment, and this is followed by a brief discussion of considerations needed for the data that is flowing into these systems.
KQL Fundamentals and Exploring Data
Section 3 is where we shift into first gear and begin really learning KQL. It is not flashy, but like the other sections, there is a method to the madness and this is an important foundational module. That is not to say that the previous modules should be skipped. However, beginning with defining a tabular expression statement, you begin to build on the basics. You may find yourself wanting to copy and paste the code into your lab environment. I HIGHLY RECOMMEND TYPING THE CODE OUT. Ya, I went bold and caps lock on ya for a second, but I think that is a key to retention and learning. After learning the basic syntax of a tabular expression, the course material teaches the let and set statements as a means of defining a named expression that can be used later in the query (a la a variable in programming).
Next up is the explanation of common data types used in KQL. If you have ever studied a programming language, this exercise will not be unfamiliar to you. However, defining data types in KQL is like learning the basic vocabulary of a new language—you can’t build a sentence (or a query) without understanding what your words mean. In KQL, data types tell the system how to interpret the values in your dataset, whether they’re numbers, strings, dates, or something more specific. At first, it might seem like just another detail to keep track of, but knowing your data types can save you a ton of headaches later. Picture this: you’re trying to filter logs by timestamp, but if the system treats your timestamp as a string instead of a datetime, you’re in for some frustration. The good news is that KQL makes it pretty straightforward. Once you get the hang of identifying and converting data types, you’ll find yourself navigating through your queries with way less guesswork—and way more clarity.
As the section begins to come to a close, BluRaven explains the count, take/limit, sample, and distinct operators that are perfect for performing exploratory queries, and then completes the learning material with an explanation of the project, project-rename, project-reorder, and project-away operators and how they can be used in your result set. The section wraps up with some exercises against the lab environment. The questions are applicable to that with which a Security Analyst may be asked to perform. Full solutions are provided after the exercises have been submitted.
Searching and Filtering Data
This meaty section provides the foundations for sifting through large haystacks of data to find the needles in them. Microsoft Sentinel and Defender are very powerful data sources, so finding the right data and eliminating the noise is critical in a security operations context. By the end of this section, you will understand the search, has, hassuffix, hasprefix, contains, and matches regex operators, and when and why to use each one.
Next, you will learn about logical operators like AND, OR, and NOT, as well as string operators like ==, !=, etc. and numeric operators for performing arithmetic operations on the data sets. Finally, a specific callout is made to the between operator, which can be used for numeric, datetime, and timespan values.
Another critical operator that you are introduced to in this section is the where operator. You can think of the where operator as your go-to tool for filtering or narrowing down the results to only what you want to see, based on the conditions and parameters that you define. Need to find logs for a specific user? Use the where operator. Want to check out activity that has occurred in the past 15 minutes? Where has you covered. But what if you have more than one condition you are trying to solve for? KQL allows you to list where clauses in a serial fashion, OR, you can use the and operator to combine the conditions into a single where clause. With foundational knowledge of the where operator, we are ready to shift into 2nd gear.
Remember the let and set statements from earlier in the course? They are back in this section with keys and strategies for making your KQL queries more efficient and easier to read, along with the new function dynamic(). Armed with this new knowledge, you can begin building practical queries based on lists of data. Perhaps you have some suspicious IP addresses you are trying to track. Throughout the course, you will explore real use cases that a Security Analyst may be presented with.
The remainder of this section explores other use cases using timestamp filtering and creating timelines using search and where. The section explores special IPv4 functions, such as ipv4_is_in_range(), ipv4_is_in_any_range(), and ipv4_is_private(). Finally, the section ends with a discussion and material pertaining to regular expressions and filtering JSON Data using dot and bracket notation. More exercises are presented at the end of this section to reinforce the concepts of the section. Good stuff.
Creating and Manipulating Fields
When working with unstructured or semi-structured data in KQL, the parse, parse-where, and parse-kv operators are your secret weapons. They take messy logs and turn them into actionable insights, allowing you to dig deeper and spot the details that matter. These operators are all about extracting the data you need and making it easier to work with, even when the dataset feels like a jumbled mess.
The parse operator is the most versatile of the bunch. Think of it as a way to extract patterns from strings and give them structure. For example, if you’re dealing with log entries that store IP addresses or user agents as part of a long text string, parse lets you pinpoint and extract those details into separate columns. It’s all about taking raw data and reshaping it into something you can actually query effectively.
Next, there’s parse-where, which builds on the functionality of parse by adding a filtering layer. This operator doesn’t just extract information; it lets you focus only on the rows that meet specific conditions. Imagine you’re parsing logs for errors but only care about entries related to a certain service or timeframe—parse-where helps you zero in on what you need without pulling in unnecessary noise.
Finally, parse-kv is the operator you’ll love when dealing with key-value pairs. Logs often store data in key-value format, especially in JSON or certain application logs, and parse-kv lets you automatically extract those pairs into columns for easy analysis. For example, given a log with user=jdoe action=login status=success, this operator will split everything neatly into columns like user, action, and status, saving you from writing extra code to parse it manually.
Together, these operators turn unstructured chaos into structured order. They empower you to handle real-world scenarios where data isn’t always clean or consistent. By mastering parse, parse-where, and parse-kv, you’ll be able to tackle even the messiest logs with confidence, uncovering the insights that keep your security operations one step ahead.
When you’re working with data in KQL, sometimes less is more. That’s where the project and extend operators come in—they let you tailor your results, focusing only on what’s important while adding extra context when needed. These operators aren’t flashy, but they’re the workhorses of your queries, helping you slice and dice your data in ways that make it infinitely more useful.
The project operator is like packing light for a trip—it keeps your results streamlined and clutter-free. Let’s say you’re running a query against your logs, and the dataset has 20 columns, but you only care about three of them, like Timestamp, IPAddress, and EventID. Using project, you can tell KQL to include just those columns in the results, cutting out the noise. It’s also great for renaming columns on the fly, so instead of seeing something like SourceIPAddress every time, you can simplify it to IP and make your results easier to read.
Then there’s extend, which feels like giving your data a bonus round. This operator lets you create new calculated columns based on your existing data. For example, you could add a column that converts event durations from milliseconds to seconds, or create a flag for events occurring outside business hours. The best part? It doesn’t mess with your original data—it just adds to it, so you’re working with enriched results without losing anything.
The magic happens when you combine these two operators. You can use extend to add meaningful context, like calculated risk scores, and then follow up with project to keep only the most relevant details. Together, they make your queries not just functional but elegant, cutting out the irrelevant bits while adding insights that matter.
Mastering project and extend is like learning to clean up your workspace—it keeps things neat, efficient, and focused. Once you get the hang of them, you’ll wonder how you ever worked through massive datasets without these tools in your back pocket.
As you complete the foundational sections of the course, you should begin feeling confident in performing solid KQL queries, understanding the logic behind them, and feeling good about querying a single table in KQL. However, as you will see in the next few modules, we haven’t even shifted out of second gear yet in your KQL Mastery journey. Let’s look at the intermediate topics in detail.
Intermediate Topics
Working with Multiple Data Sets
Combining and Joining Data Sets in KQL
When working with multiple data sets in KQL, the real magic happens when you combine and join them. It’s like connecting the dots in a massive puzzle, where each dataset holds a piece of the bigger picture. Whether you’re correlating logs, enriching data, or finding patterns across different sources, KQL gives you the tools to bring it all together seamlessly.
Combining data sets in KQL often starts with union-like operations, where you stack data from multiple tables into one cohesive result. Let’s say you’ve got sign-in logs in one table and application access logs in another. With a simple union operator, you can combine both sets of logs into a single view, making it easier to search for patterns or anomalies across them. It’s straightforward and works well when your data sets have similar columns or when you need a high-level overview without worrying too much about structure.
But if union is like stacking Lego bricks, joining data sets is where you start building something more intricate. The join operator in KQL lets you connect two tables based on a shared key—think IP addresses, user IDs, or timestamps. This is a game-changer for analysts because it lets you correlate data from different sources. For example, you could join network logs with threat intelligence feeds to spot suspicious IP addresses or merge authentication data with endpoint logs to track a user’s activity across systems.
The beauty of KQL’s join lies in its flexibility. You can choose the type of join that makes sense for your use case: inner joins to focus only on matches, left joins to keep everything from one table while adding context from another, or even anti-joins to find mismatches or gaps. Each option gives you a different lens to view your data, helping you uncover insights that wouldn’t be visible in isolation. KQL supports many different join types, and BluRaven explains each of them using concrete examples to clarify the result set that comes from each join type.
Combining and joining data sets is where KQL shines as a data analysis powerhouse. These tools let you break down silos, connect the dots, and create meaningful context out of scattered data. Once you’ve got the hang of it, you’ll see how powerful KQL can be for finding the stories hidden in your logs.
The training material does a great job of not only providing you information readily found in the manual pages for each operator, but also explains best practices for combining and joining data sets.
Using External Threat Intel Feeds
If you have made it this far through the course, you are likely feeling confident and knowledgeable in your foundational and even intermediate topic queries. Now it is time to shift into another gear and look at using the externaldata operator, which will unlock things like incorporating threat intelligence data in with your queries.
The externaldata operator allows you to specify a file or URL as the source and define the structure of the incoming data. For example, if you have a regularly updated threat feed of suspicious IP addresses in a CSV format, you can use externaldata to bring that information directly into your query. You define the columns—like IPAddress, ThreatType, and LastSeen—and KQL does the heavy lifting, importing it as if it were just another table in your workspace.
Once the threat intel data is loaded, you can combine it with your internal logs using a join. This is where things get interesting. Let’s say you have firewall logs showing outgoing connections, and you’re looking for matches with known malicious IPs. By joining your firewall logs with the data from externaldata, you can quickly identify potential threats. The process is efficient, and because you’re using KQL, the analysis is lightning-fast even with large datasets.
What makes externaldata so powerful is its ability to adapt to dynamic threat landscapes. Threat intel data changes frequently, and with this operator, you can pull in the most up-to-date information without having to hard-code it into your environment. Whether it’s a one-off lookup or a recurring part of your analysis workflow, externaldata makes integrating external intelligence seamless.
In the context of threat hunting and security operations, the externaldata operator turns KQL into a more versatile tool. It bridges the gap between internal monitoring and external threat awareness, helping you stay proactive against emerging threats. With this operator in your toolkit, you’re better equipped to keep your organization one step ahead of attackers.
Time Traveling Within the Logs
Time Traveling in KQL
Time traveling in KQL isn’t about jumping in a DeLorean—it’s about navigating your data across different points in time. This concept allows you to analyze historical trends, compare past and present activity, or focus on specific timeframes to uncover patterns that might not be obvious in real-time data. Whether you’re investigating an incident or looking for anomalies, KQL makes it easy to zoom in and out of your data’s timeline.
At its core, time traveling in KQL is all about leveraging time-based operators and filters. The where operator is your go-to tool for filtering data by timestamps. For instance, you can use it to isolate events from the last 24 hours (where Timestamp > ago(24h)) or focus on a specific range, like last week (where Timestamp between (startofday(ago(7d)) .. startofday(ago(6d)))). These filters let you hone in on exactly when something happened, without sifting through irrelevant logs.
But it doesn’t stop there. KQL lets you compare data from different timeframes to spot changes or trends. Using functions like summarize with bin lets you group data into time slices—like hourly or daily intervals—so you can see how activity evolves. For example, you might track login attempts over the past week to identify spikes or unusual patterns that align with known attack methods.
One of the coolest aspects of time traveling in KQL is the ability to look back and “replay” what happened before or after a specific event. This is especially useful for incident response. Let’s say you’ve identified a suspicious login; by filtering your logs to just before and after that event, you can reconstruct the attacker’s activity and figure out what they accessed or changed.
Time traveling isn’t just a feature; it’s a mindset for approaching your data with flexibility. By mastering time-based operators and functions, you can uncover the stories hidden in your logs, piece together sequences of events, and gain insights that keep your security operations sharp and forward-thinking. BluRaven dedicates an entire section to this critical concept, and it is one of those core tools that you will wonder how you ever went without it.
Aggregating and Visualizing Data
BluRaven begins this section by reinforcing the importance of aggregation in security operations and analysis. A detailed examination of the summarize operator is covered, along with its associated functions like make_list(), make_set(), count(), dcount(), count_distinct(), max(), min(), avg(), sum(), arg_max() and arg_min(), countif(), and make_set_if(). That is a lot of functions, so it should lead you to understand the importance of this operator and associated functions. Whether you’re calculating averages, counting events, or tracking trends over time, instead of wading through thousands of rows, summarize helps you zoom out and see the bigger picture in just a few lines of query.
The section wraps up by examining multi-valued data, such as data elements contained in an array within a single column. An examination of the mv-expand operator explains how you can unpack these special data elements and access values within the data set as if the values are in individual rows. While mv-expand is incredibly powerful, it’s worth noting that it can increase the size of your dataset significantly, especially if you’re working with large arrays. But when used thoughtfully, it transforms messy, multi-value data into clean, actionable insights. It’s one of those operators that you might not use in every query, but when you need it, nothing else quite compares.
Once you have selected, filtered, calculated, and expanded your data, visualizations can provide an additional weapon in your arsenal that can be used to spot anomalies and other outliers in a large data set. While not purpose driven for presentation, various chart types exist that help you visualize data. BluRaven explains the role of the render operator, and places it into context with the various visualization types that are available to you in the query environment. It is also possible to obtain geospatial information from IP addresses using the geo_info_from_ip_address() function. BluRaven dedicates a full module to geospatial visualizations in this course, including displaying information on a pew-pew map.
Advanced Topics
Time-series Analysis
Time-series analysis in KQL is all about making sense of your data across time. Whether you’re monitoring system performance, tracking security incidents, or hunting for anomalies, analyzing time-series data gives you the context you need to understand not just what happened, but when and how it unfolded. With KQL’s powerful time-based operators and functions, diving into time-series data is both intuitive and efficient. BluRaven explains why time-series is important for security analysts, and then dives into the content, anchored by the bin() and make_series() functions. With the explanation of the functions complete, BluRaven dives into implementation techniques, including visualizing binned data and continuous time-series data. The function series_decompose_anomalies() is explored, including the role of baselines and anomalies in identifying patterns (spikes and drops).
Rapid Triage and Investigation Using KQL
The final content section of the course provides you with techniques for working with alert data. The course uses Microsoft Defender for Endpoints as its data source, but any table and source can be used. By using aggregation functions introduced earlier in the course, you should feel confident in exploring the material in this section. Among the topics is a series of sample questions that can be answered by gathering alert context and building a robust query to extract detailed information for each entity type. The material pivots to investigating the last timestamp for an event, such as when an attacker bypasses EDR and “disappears” from the logs. By combining data sets from disparate systems, it is possible to enrich data and make it more efficient for the security analyst.
Conclusion
Wrapping up my experience with BluRaven’s Hands-On KQL for Security Analysts, it’s clear that this training hits the mark for anyone looking to strengthen their skills in querying and analyzing data in Microsoft’s ecosystem. This course doesn’t just skim the surface; it dives deep into the practicalities of KQL, building both confidence and competence in a way that feels organic and rewarding.
From the start, the training is grounded in real-world applications. It begins with the basics, giving you a strong foundation in data types and the structure of KQL queries. But it doesn’t stop at theory—you’re encouraged to jump right in and start exploring. Each section builds on the last, and before you know it, you’re tackling more complex scenarios like searching, filtering, and defining relationships in the data. The progression is seamless, and the hands-on approach ensures that concepts stick.
The course really shines when it moves into more advanced territory. Operators like parse, parse-where, and parse-kv open up a new level of precision for working with unstructured data. You’re not just learning commands; you’re seeing how to turn chaotic logs into structured, actionable insights. Similarly, the sections on project and extend teach you how to refine and enrich your results, keeping things streamlined while adding meaningful context.
Time-series analysis is another standout element. Whether you’re identifying trends with bin, creating time-series data with make-series, or spotting anomalies with advanced functions, you’re given the tools to view your logs through a temporal lens. This focus on time-based patterns isn’t just useful—it’s essential for anyone in a security role. The same goes for joining and combining data sets, where you learn how to connect disparate pieces of information to uncover the bigger picture. The ability to correlate logs, track incidents across devices, and enrich data with external sources like threat intelligence transforms KQL from a query language into a full-on investigation tool.
The course doesn’t ignore the more tactical aspects either. Rapid triage techniques, particularly in the context of Microsoft Defender for Endpoint, are an invaluable takeaway. By the end of the training, you’re equipped to respond to alerts with precision, diving into the surrounding data, uncovering root causes, and assessing potential blast radii—all within minutes. These skills aren’t just nice to have; they’re the kind of capabilities that make a measurable impact on your organization’s response times and overall security posture.
What sets this training apart is the balance it strikes between depth and accessibility. It’s thorough without being overwhelming, and it respects your time by focusing on what matters most. For the cost ($325), the value is undeniable. The hands-on exercises, practical examples, and real-world focus make every hour spent on this course worthwhile. It’s not just about learning KQL—it’s about learning how to use it in meaningful ways that make your job easier and more impactful.
If you’re a security analyst looking to up your game, BluRaven’s Hands-On KQL for Security Analysts is an investment that pays off immediately. The skills you gain aren’t just technical—they’re practical, empowering you to find insights, respond faster, and feel more confident in your work. This course is everything you need to turn KQL from just another tool into a core part of your workflow.
