Fix: Lab 05 Ex01 - KQL Defender#495
Fix: Lab 05 Ex01 - KQL Defender#495v-absamim wants to merge 1 commit intoMicrosoftLearning:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Learning Path 5 Lab 1 Exercise 1 instructions to correct several KQL examples and align lab metadata/instructions with the intended lab experience.
Changes:
- Updated lab metadata (duration/level) and minor instructional wording/formatting.
- Fixed multiple KQL snippets (syntax corrections, correct column names, join example cleanup).
- Corrected small text issues (grammar/typos and KQL JSON access syntax).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ```KQL | ||
| SecurityEvent_CL | ||
| | where TimeGenerated > ago(5d and EventID_s == 4624 | ||
| | where TimeGenerated > ago(5d) and EventID_s == 4624 | ||
| ``` |
There was a problem hiding this comment.
This lab appears to exist in two locations: this file and Instructions/Labs/DefenderXDR/LAB_AK_05_Lab1_Ex01_KQL_Defender.md. The DefenderXDR copy still contains the original KQL syntax issue this change fixes (missing parenthesis in this query). To avoid the two versions drifting (and learners hitting the broken one), consider applying the same fixes to the DefenderXDR copy or documenting which path is the canonical source.
| ``` | ||
|
|
||
| 1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window, enter the following statement and select **Run**: | ||
| 1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window, enter the following statement and select **Run query**: |
There was a problem hiding this comment.
Instruction wording is inconsistent in this lab: most steps say select Run, but this one says Run query. If the UI button label is actually Run query in Defender XDR, consider standardizing the wording throughout (or using a combined phrasing like “Run/Run query”) to avoid confusion.
| 1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window, enter the following statement and select **Run query**: | |
| 1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window, enter the following statement and select **Run**: |
| In this task, you install the **Microsoft Sentinel Training Lab Solution** from the Marketplace which will populate a Log Analytics workspace with sample data that you can use to practice writing KQL statements. | ||
|
|
||
| 1. Login to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. | ||
| 1. Sign in to **WIN1** virtual machine as Admin using the provided credentials. |
There was a problem hiding this comment.
This repo’s other labs typically specify the WIN1 local Admin password (e.g., Pa55w.rd). Replacing it with “provided credentials” may leave learners without the information needed to sign in unless those VM credentials are explicitly provided elsewhere. Consider either restoring the password here, or explicitly referencing where the WIN1 credentials can be found in the lab environment.
| 1. Sign in to **WIN1** virtual machine as Admin using the provided credentials. | |
| 1. Sign in to **WIN1** virtual machine as **Admin** with the password **Pa55w.rd**. |
v-absamim
force-pushed
the
Lab-05-Ex01-Fixes
branch
from
3d69202 to
eca145a
Compare
Updates to LAB_AK_05_Lab1_Ex01_KQL_Defender.md