Hands-On LabIntermediate

Conduct a Threat Hunt Using Kusto Query Language (KQL)

Hunt for indicators of compromise in security logs using advanced KQL queries mapped to MITRE ATT&CK tactics.

75 minEstimated time
4Guided steps
AutoVerification
IsolatedSandbox
Conduct a Threat Hunt Using Kusto Query Language (KQL)

Lab overview

Detecting threats in enterprise environments requires the ability to query and correlate security data across multiple log sources. Kusto Query Language (KQL) is the primary tool for analyzing logs in Azure Sentinel, Log Analytics, and Microsoft Defender. A structured threat hunt follows the MITRE ATT&CK framework to systematically uncover attacker techniques from initial access through persistence and privilege escalation.

In this lab, you will work with a pre-provisioned Log Analytics workspace containing realistic security data across four tables: SecurityEvent, SigninLogs, OfficeActivity, and AzureActivity. You will hunt for brute force attacks in authentication logs, detect persistence mechanisms like suspicious inbox rules, identify privilege escalation through account manipulation, and correlate findings across the entire kill chain using advanced KQL operators.

Objectives

Upon completing this Intermediate level lab, you will be able to:

  • Identify brute force and credential stuffing attacks by analyzing failed and successful sign-in patterns in SigninLogs
  • Detect persistence mechanisms such as suspicious inbox forwarding rules and account manipulation in OfficeActivity and SecurityEvent tables
  • Hunt for privilege escalation indicators by correlating account modification events across AzureActivity and SecurityEvent logs
  • Construct multi-table KQL queries using join, union, and let statements to trace attacker activity across the kill chain
  • Map discovered indicators of compromise to specific MITRE ATT&CK tactics and techniques

Who is this lab for?

This lab is designed for:

  • Security analysts who need to perform proactive threat hunting using KQL in Azure environments
  • SOC engineers looking to improve their ability to detect and correlate multi-stage attacks

Familiarity with basic KQL operators and the Azure Portal is recommended. Completing the "Introduction to KQL" lab first is strongly suggested.

Verified against your live environment

An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.

[CHECK] validation_activelive
Inspecting deployed resources...
Verifying configuration state...
✓ Step requirements satisfied

More labs like this

Related reading

PremiumIncluded in Premium
Duration
75 min
Steps
4

Environment

Live Cloud Environment

Every lab includes

  • Real environment, pre-credentialed
  • Automated checks on every step
  • Isolated sandbox, auto cleanup
  • AI-recommended next steps

Lab curriculum

  1. 01

    Logging into Azure Account using Azure Portal

  2. 02

    Exploring the Log Analytics Workspace and MITRE ATT&CK Framework

    1 automated check

  3. 03

    Hunting for Initial Access: Brute Force and Credential Attacks

    1 automated check

  4. 04

    Hunting for Persistence and Privilege Escalation

    1 automated check

Not the lab you were looking for?

Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.

Explore the catalog