Conduct a Threat Hunt Using Kusto Query Language (KQL)

Detecting threats in enterprise environments requires the ability to query and correlate security data across multiple log sources. Kusto Query Language (KQL) is the primary tool for analyzing logs in Azure Sentinel, Log Analytics, and Microsoft Defender. A structured threat hunt follows the MITRE ATT&CK framework to systematically uncover attacker techniques from initial access through persistence and privilege escalation.

In this lab, you will work with a pre-provisioned Log Analytics workspace containing realistic security data across four tables: SecurityEvent, SigninLogs, OfficeActivity, and AzureActivity. You will hunt for brute force attacks in authentication logs, detect persistence mechanisms like suspicious inbox rules, identify privilege escalation through account manipulation, and correlate findings across the entire kill chain using advanced KQL operators.

Objectives

Upon completing this Intermediate level lab, you will be able to:

• Identify brute force and credential stuffing attacks by analyzing failed and successful sign-in patterns in SigninLogs
• Detect persistence mechanisms such as suspicious inbox forwarding rules and account manipulation in OfficeActivity and SecurityEvent tables
• Hunt for privilege escalation indicators by correlating account modification events across AzureActivity and SecurityEvent logs
• Construct multi-table KQL queries using join, union, and let statements to trace attacker activity across the kill chain
• Map discovered indicators of compromise to specific MITRE ATT&CK tactics and techniques

Who is this lab for?

This lab is designed for:

• Security analysts who need to perform proactive threat hunting using KQL in Azure environments
• SOC engineers looking to improve their ability to detect and correlate multi-stage attacks

Familiarity with basic KQL operators and the Azure Portal is recommended. Completing the "Introduction to KQL" lab first is strongly suggested.