You dont have javascript enabled! Please enable it! Passing The Must Learn KQL Assessment - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Passing the Must Learn KQL Assessment

3 Min. Read

In this article, we will share with you how to prepare and pass the Must Learn KQL training and assessment.


Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

If you want to master Microsoft Sentinel and be an effective cybersecurity professional, then learning and mastering KQL is a must.

As a side note, KQL is not only used for Sentinel, it is used with Log Analytics/Azure Monitor, Microsoft Defender for Cloud, Azure Data Explorer, Application Insights, Azure Resource Graph, Microsoft 365 Defender Advanced Hunting including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity.

Kusto Query Language (KQL) is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. The query uses schema entities that are organized in a hierarchy similar to SQL’s: databases, tables, and columns.

A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model that is easy to read, author, and automate. Kusto queries are made of one or more query statements.

In February 2022, Rod Trent (Senior Cloud Security Advocate) created a Must Learn KQL Assessment which is based on the Must Learn KQL series that he created over several months and now has reached its completion.

Must Learn KQL Assessment

The Must Learn KQL training is a set of series, organized in a format that can help you go from absolutely no knowledge in KQL, to master KQL.

The Must Learn KQL training includes 20 series. If you have already studied all the series and you are ready for the knowledge check, follow the steps below:

Knowledge Check

The knowledge measure for Microsoft Sentinel consists of 25 multiple-choice questions.

I’ve just taken the test myself and I am so happy and grateful now that I passed it the first time with a passing score of 84/100 without any additional preparation. I work with KQL and Microsoft Sentinel on regular basis.

Must Learn KQL Assessment
Must Learn KQL Assessment

You need 80% or better at least to pass this knowledge check. I missed four questions. The good news is, the knowledge check will show you the correct answers after you submit the quiz, so you can understand better the right answers.

To get started, check out the Must Learn KQL training series, or you can download the KQL PDF book from here. If you have already studied all the modules and are ready for the knowledge check, please go to the direct link: Assessment check page.

The assessment is based on the honor system. You can take the assessment as many times as you need to and once you hit the 80% grade, you can send an email to the email address supplied on the assessment to receive your certificate:

Please note that this is not an “official” certification, but (as a tip) the effort looks good if you place the certificate as shown in the image below with your current work experience.

KQL Certificate of Completion
KQL Certificate of Completion

This shows a record of your impact and is useful for keeping track of your efforts for those annual awards discussions with your manager.

Last but not least, I want to thank Rod Trent who prepared the Must Learn KQL series and the Knowledge Check.

> Are you interested to become a Microsoft Defender for Cloud Ninja? Check out the following step-by-step guide.

> Are you interested to become a Microsoft Sentinel Ninja? Check out the following step-by-step guide.

> Check how to monitor sign-in activities and advanced your Azure AD hunting with KQL.

All the best,

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 20+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

How Azure Stack HCI is Forcing Changes in your Datacenter

Reduce and Optimize Costs in Microsoft Sentinel


2 thoughts on “Passing the Must Learn KQL Assessment”

Leave a comment...

  1. Good Day Charbel,

    Can you please provide some examples of retrieving data in local time (For Eg Australia DEST) for a time span of 2 hrs between the dates mentioned?

    This never works for me

    let startTime = todatetime(‘2022-03-28 15:15:00’);
    let endTime = todatetime(‘2022-03-28 16:30:00’);
    | where TimeGenerated between (startTime .. endTime)

    Thanks in advance,

  2. Hello Deepak, thanks for the comment!
    Check this KQL if it works for you.

    // Retrieve Security Events Time span of 2 hours
    | where TimeGenerated between (datetime(2022-03-28, 06:00) .. datetime(2022-03-28, 08:00))

    Hope it helps!

Let me know what you think, or ask a question...