

KQL for Data and Security Professionals
βπ Tuesday, August 4, 2026 β° 7:30 β 9:00 AM PT | 10:30 AM β 12:00 PM ET | 2:30 β 4:00 PM GMT | 3:30 β 5:00 PM WAT | 8:00 β 9:30 PM IST πΊ YouTube Livestream
βThis is Session 5 and the closing session of the Microsoft Fabric Location Intelligence & Security User Group Data Days series, running June through August 2026. ποΈ
βKQL is one of the most practical and immediately useful skills you can add to your toolkit in 2026. It is the query language of Microsoft Sentinel, Microsoft Defender, Microsoft Fabric Real-Time Intelligence, and Eventhouse β and it is rapidly becoming a shared language across data engineering, security operations, and AI workloads.
βThis session is designed for both communities. If you come from a data background, you will learn how KQL extends what you already know. If you come from a security background, you will see how KQL scales beyond threat hunting into operational analytics and business intelligence. And if you attended Win in the Seams on July 25, this session goes deeper on the technical foundations introduced there.
βπ WHAT THIS SESSION COVERS
βKQL is not just a security tool or just a data tool. It is the connective language between real-time signals, telemetry, logs, and decisions β and this session shows both communities how to use it across the full Microsoft ecosystem.
βYouTube Livestream:
βπ TOPICS
βπ£ KQL Foundations for Both Communities β’ What KQL is and how it differs from SQL: syntax, philosophy, and use cases β’ Why KQL is optimized for time-series, telemetry, and event data β’ Core KQL operators every practitioner needs: where, summarize, extend, project, join, render β’ Reading and writing KQL queries from scratch: a practical walkthrough β’ How Copilot and natural language can help you write and interpret KQL queries in Fabric β’ KQL versus SQL: when to use each inside Microsoft Fabric
βπ’ KQL in Microsoft Fabric Real-Time Intelligence β’ What Eventhouse is and how KQL databases are structured inside Fabric β’ Ingesting streaming data into Eventhouse: Eventstreams, APIs, and connectors β’ Querying real-time and historical data with KQL inside a Fabric workspace β’ Building Real-Time Dashboards powered by KQL queries β’ Eventhouse remote MCP: enabling AI agents to query real-time data using natural language and KQL β’ Business events flowing automatically into Eventhouse for KQL analysis β’ Anomaly detection running directly on live time-series and event datasets in Eventhouse β’ Workspace monitoring: tracking Eventstream health, throughput, and errors using KQL tables
βπ KQL for Security Professionals β’ KQL in Microsoft Sentinel: hunting, detection rules, and incident investigation β’ KQL in Microsoft Defender: endpoint telemetry and threat analytics β’ Common security KQL patterns: login anomalies, privilege escalation, lateral movement, data exfiltration β’ Building custom detection rules and watchlists using KQL β’ Correlating identity signals from Entra ID with security telemetry using KQL β’ SC-200 and SC-500 certification contexts where KQL skills are directly tested
βπ΅ KQL for Data Professionals β’ Using KQL to analyze operational telemetry alongside business data in Fabric β’ Geospatial and location signals as KQL inputs: correlating event data with location context β’ Joining security logs with business data to surface operational intelligence β’ How KQL queries power both security detection and business analytics on the same data β’ Eventhouse as the connective layer between security logs and OneLake business data β’ Turning events into decisions before the window closes: practical patterns for data engineers
βπ©· Live Query Demonstrations β’ Writing and running KQL queries live against a Fabric Eventhouse β’ A security hunting query built and explained step by step β’ A business analytics query using the same KQL patterns applied to operational data β’ Using Copilot to generate and refine KQL queries in Real-Time Intelligence β’ Resources for going deeper: KQL learning path on Microsoft Learn, SC-200 and DP-700 study materials, and community channels
βπ₯ WHO SHOULD ATTEND
βThis session is for anyone who works with data, logs, telemetry, or real-time signals in the Microsoft ecosystem, including:
ββ Data Engineers and Analytics Engineers working with Real-Time Intelligence β Security Analysts and SOC Engineers using Microsoft Sentinel or Defender β Fabric Architects designing event-driven and real-time analytics solutions β Governance and Compliance professionals working with audit logs and telemetry β Anyone preparing for SC-200, SC-500, DP-700, or DP-800 certification β Anyone who attended Win in the Seams on July 25 and wants to go deeper
βNo prior KQL experience required. π οΈ
βπΊ FORMAT
βInteractive YouTube livestream with full replay available after the event. This session includes live query demonstrations and Q&A. Come with your KQL questions β beginners and experienced practitioners are both welcome.
ββΉοΈ ABOUT THIS SERIES
βThis is the closing session of the Microsoft Fabric Location Intelligence & Security User Group Data Days series, a set of focused 90-minute sessions running June through August 2026 on YouTube.
βSeries arc: π June 23: Location Intelligence with Maps and GeoAnalytics in Microsoft Fabric πΏ June 30: Get to Know Esri: From Living Atlas to Spatial Analysis for Fabric Users π July 7: Data and AI Security and Governance in Microsoft Fabric π§ July 21: Fabric IQ for Data Professionals π August 4: KQL for Data and Security Professionals
βThe Microsoft Fabric Location Intelligence & Security User Group is not affiliated with or run by the Microsoft Fabric Community or the Fabric User Group Network.