Midnight theme

Midnight is a theme for GitHub Pages.

Project maintained by GiBoris Hosted on GitHub Pages — Theme by mattgraham

Lab 04 — KQL Queries for Microsoft Sentinel 🔎📊

Platform: Microsoft Sentinel / Microsoft Defender XDR
Focus: Log analysis, detection logic, and threat hunting using Kusto Query Language (KQL)

Objective

This lab demonstrates practical use of Kusto Query Language (KQL) to:

Lab Environment

All activities were performed in a controlled, non-production environment.

1. Querying Custom Tables

Executed queries to retrieve data from custom tables and validate data ingestion.

1

2. Filtering Events by Keyword

Searched for events containing specific keywords within log descriptions.

2

3. Time-Based Filtering

Filtered events based on a defined timeframe (last 7 days).

3

4. Process Creation Filtering

Filtered events other than related to process creation activities within a defined timeframe.

4

5. Identifying Suspicious Accounts

Created a temporary list of accounts exhibiting suspicious activity and used it to filter related events.

5

6. Process Creation Analysis

Summarized process creation activity across accounts to identify anomalies.

6

7. Detection Rule Logic

Developed logic to detect repeated account disable failures across multiple systems.

7

8. Latest Event Retrieval

Queried the most recent event for a specific host.

8

9. User Activity Analysis

Generated a list of accounts logging into systems over a defined period.

9

10. Data Visualization

Rendered a bar chart to visualize event distribution across accounts.

10

Investigation Value

These queries support:

Skills Demonstrated

Disclaimer

All activities were performed in a controlled lab environment using simulated data.