Welcome to KQL Security Training

Master threat detection and investigation across Microsoft 365, Azure, AWS, and Kubernetes environments through hands-on KQL queries and real-world scenarios.

...
Training Scenarios
...
Cloud Platforms
...
Completed
...
XP Earned

Available Training Platforms

🛡️
Microsoft 365 Security
Learn identity protection, email security, and endpoint defense with Entra ID, Defender for Office 365, and more.
☁️
Azure Platform
Master cloud security posture management, storage protection, and Azure Kubernetes Service security.
🏗️
AWS Platform
Investigate IAM compromises, S3 security issues, and advanced ransomware techniques targeting AWS services.
🚢
Kubernetes & Containers
Secure container orchestration with API server protection, runtime security, and network policy enforcement.
🌐
Multi-Cloud & Hybrid
Advanced cross-platform investigations and hybrid environment security analysis.

🚀 Getting Started

  1. Click the hamburger menu (☰) to browse training scenarios
  2. Choose a platform that matches your experience level
  3. Start with Beginner scenarios to build foundational KQL skills
  4. Practice writing queries in the interactive KQL workspace
  5. Earn XP and advance your rank as you complete challenges
Password Spray Attack Detection
🎯 Microsoft Entra ID
📊 Beginner - Intermediate
⏱️ 15-20 minutes
🏆 250 XP
Scenario: A Security Operations Center has detected unusual authentication patterns across multiple user accounts. Your task is to identify a potential password spray attack using KQL queries against Microsoft Entra ID sign-in logs.

Learning Objectives: Master aggregation functions, time windows, IP address analysis, and user behavior correlation.

Data Sources: SigninLogs table from Microsoft Entra ID
💡 Hint
Start by filtering the SigninLogs table for failed authentication attempts (ResultType != 0). Then group by source IP address and count the number of unique users targeted.

📋 SigninLogs Table - Raw Data (Last 24 Hours)

Review the authentication logs below. Look for patterns that might indicate a password spray attack.

TimeGenerated UserPrincipalName IPAddress Location ResultType AppDisplayName ClientAppUsed

🔍 KQL Query Editor

Write your query to analyze the authentication logs above
1
2
3
4
5
6
7
8
9
10