KQL Cafe - January 2026
Recording
Hosts
Guests
KQL News
KQL Toolbox Series
- KQL Toolbox #1 — Track & Price Your Microsoft Sentinel Ingest Costs
- KQL Toolbox #2 — Find Your Noisiest Log Sources (with Cost)
- KQL Toolbox #3 — Which Event ID Noises Up Your Logs (and Who's Causing It)
- KQL Toolbox #4 — What Changed? Finding Log Sources with the Biggest Delta in Volume & Cost
ASIM December 2025 Update Is Now Live
Following ASIM reaching General Availability in September, I’m excited to share the completion of the ASIM schema refresh — a major milestone that strengthens Microsoft Sentinel’s normalization framework and sets the stage for next wave of ASIM-driven innovation.
🔗 https://www.linkedin.com/posts/oshezaf_asim-december-2025-update-is-now-live-share-7406309569976705024-YOw1/?utm_source=social_share_send&utm_medium=ios_app&rcm=ACoAAAC3QkMBbeDK3KuZDfKocgA2reApbZVXz2A&utm_campaign=share_via
Defender XDR – Advanced Hunting
Microsoft
The following advanced hunting schema tables are now available for preview:
- CampaignInfo table contains information about email campaigns identified by Microsoft Defender for Office 365
- FileMaliciousContentInfo table contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams
50+ New Microsoft Teams Protection KQL Queries Available
50+ new Microsoft Teams protection-specific KQL queries are now available directly in the Microsoft Defender XDR portal under Advanced Hunting → Community queries.
With this update, there are now over 260 Microsoft Defender for Office 365-specific KQL queries available for threat hunting, custom detections, reporting, and more — all accessible with just a few simple clicks.
🔗 https://www.linkedin.com/posts/daniel-m-b4201664_defenderforoffice365-defenderxdr-kql-activity-7404515404871524355-Ipyd?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAC3QkMBbeDK3KuZDfKocgA2reApbZVXz2A
Getting to Know MDE
These blog posts focus on how to use KQL in Advanced Hunting with Microsoft Defender for Endpoint to surface detections and protection events across layers such as ASR, MDAV, exploit protection, and network/web protection. They explain how to interpret the resulting events, map them to the underlying capability that raised them, and use queries to investigate security outcomes and operational behaviors. They also touch on troubleshooting scenarios where KQL helps correlate detections with performance or configuration issues.
Approximate, partial and combined lookups in Azure Sentinel
Guest
Learn KQL
max_of
Usage
| where TimeGenerated between (startofday(ago(730d)) .. startofday(now()))
| where IsBillable == true
| extend Bytes = toreal(round(Quantity * 1000 * 1000, 0))
| project-rename Tabs = DataType
| where Tabs in (P2)
| summarize TotalIngestedP2GB = round(sum(Bytes) / 1e9, 1) by TimeGenerated = startofday(TimeGenerated)
| join kind=leftouter LakeP2PerDay on TimeGenerated
| extend LakeP2GB = coalesce(LakeP2GB, 0.0)
| extend IngestedP2GB = round(max_of(TotalIngestedP2GB - LakeP2GB, 0.0), 1);
What did you do with KQL this month?
Calculate Defender for Cloud / Defender for Server Plan 2 ingestion benefits
let P2Subs = materialize(
arg("").securityresources
| where type == "microsoft.security/pricings"
| where name == "VirtualMachines"
| where properties.pricingTier == "Standard" and properties.subPlan == "P2"
| project subscriptionId
);
arg("").resources
| where subscriptionId in (P2Subs)
| where type =~ "microsoft.compute/virtualmachines" or type =~ "microsoft.hybridcompute/machines"
| extend OS = tolower(tostring(properties.storageProfile.osDisk.osType)) // For Azure VMs
| extend ArcOS = tolower(tostring(properties.osName)) // For Arc Servers
| extend OSType = coalesce(OS, ArcOS)
| summarize
Total_Servers = count(),
Azure_VMs = countif(type =~ "microsoft.compute/virtualmachines"),
Arc_Servers = countif(type =~ "microsoft.hybridcompute/machines")
by subscriptionId//, OSType