Conduct a Threat Hunt Using Kusto Query Language (KQL)
Hunt for indicators of compromise in security logs using advanced KQL queries mapped to MITRE ATT&CK tactics.

Lab overview
Detecting threats in enterprise environments requires the ability to query and correlate security data across multiple log sources. Kusto Query Language (KQL) is the primary tool for analyzing logs in Azure Sentinel, Log Analytics, and Microsoft Defender. A structured threat hunt follows the MITRE ATT&CK framework to systematically uncover attacker techniques from initial access through persistence and privilege escalation.
In this lab, you will work with a pre-provisioned Log Analytics workspace containing realistic security data across four tables: SecurityEvent, SigninLogs, OfficeActivity, and AzureActivity. You will hunt for brute force attacks in authentication logs, detect persistence mechanisms like suspicious inbox rules, identify privilege escalation through account manipulation, and correlate findings across the entire kill chain using advanced KQL operators.
Objectives
Upon completing this Intermediate level lab, you will be able to:
- Identify brute force and credential stuffing attacks by analyzing failed and successful sign-in patterns in SigninLogs
- Detect persistence mechanisms such as suspicious inbox forwarding rules and account manipulation in OfficeActivity and SecurityEvent tables
- Hunt for privilege escalation indicators by correlating account modification events across AzureActivity and SecurityEvent logs
- Construct multi-table KQL queries using
join,union, andletstatements to trace attacker activity across the kill chain - Map discovered indicators of compromise to specific MITRE ATT&CK tactics and techniques
Who is this lab for?
This lab is designed for:
- Security analysts who need to perform proactive threat hunting using KQL in Azure environments
- SOC engineers looking to improve their ability to detect and correlate multi-stage attacks
Familiarity with basic KQL operators and the Azure Portal is recommended. Completing the "Introduction to KQL" lab first is strongly suggested.
Verified against your live environment
An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.
More labs like this
Introduction to Kusto Query Language (KQL) in Azure Log Analytics
Learn KQL fundamentals by querying real log data in Azure Log Analytics using search, where, project, and summarize operators.
Implement Network Security Groups (NSGs) and Application Security Groups (ASGs) in Azure
Secure Azure VMs using Network Security Groups and Application Security Groups. Create rules, control traffic flow, and implement least privilege access.
Creating a Web App on Azure App Service using Azure Portal
Learn how to create, configure, and deploy a web application using Azure App Service through the Azure Portal's interface.
Related reading
Environment
Every lab includes
- Real environment, pre-credentialed
- Automated checks on every step
- Isolated sandbox, auto cleanup
- AI-recommended next steps
Lab curriculum
- 01
Logging into Azure Account using Azure Portal
- 02
Exploring the Log Analytics Workspace and MITRE ATT&CK Framework
1 automated check
- 03
Hunting for Initial Access: Brute Force and Credential Attacks
1 automated check
- 04
Hunting for Persistence and Privilege Escalation
1 automated check
Not the lab you were looking for?
Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.