🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 3
Domain 3 — Module 5 of 6 83%
27 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 3: Perform Threat Hunting Premium ⏱ ~10 min read

Data Lake: KQL Jobs & Summary Rules

Not all your data sits in the hot tier. Learn how to query archived data with KQL search jobs and create Summary rule tables for efficient long-term hunting.

Why hunt in archived data?

☕ Simple explanation

Sometimes the evidence of an attack is 6 months old. The attacker got in quietly, hid for months, and only now you discovered them. Your recent data shows the damage, but the initial breach? That is buried in archived logs.

The Data lake tier stores historical data cheaply — but it is slower to query than the Analytics tier. You cannot just run a quick KQL query against months of archived data the same way you query recent events.

Instead, you use KQL search jobs (asynchronous queries that run in the background) and Summary rule tables (pre-aggregated data that makes long-term hunting efficient). Together, they let you hunt across months or years of data without breaking the bank.

The Data lake tier in Microsoft Sentinel stores data at significantly lower cost than the Analytics tier, with retention up to 12 years. However, direct interactive KQL queries against Data lake tables are slower and may time out for large datasets.

KQL search jobs are asynchronous queries that run against Data lake (and Analytics) tables in the background, returning results to a new search results table. They enable hunting across large historical datasets without blocking interactive query capacity.

Summary rule tables are scheduled KQL queries that aggregate data into compact summary tables on a recurring basis. They pre-compute common hunting patterns so queries against summarised data are fast and cheap.

KQL search jobs

How search jobs work

  1. Write a KQL query for the data you need (just like a normal query)
  2. Submit as a search job — the query runs asynchronously in the background
  3. Results stored in a new table: {OriginalTable}_SRCH (e.g., SecurityEvent_SRCH)
  4. Query the results table — fast interactive queries against the pre-computed results
  5. Results retained for the configured period (default 30 days)

When to use search jobs

ScenarioWhy Search Jobs
Historical breach investigationQuery 6+ months of sign-in logs for a compromised account
Threat intelligence retrohuntCheck if a newly discovered IOC appeared in historical data
Compliance auditSearch archived data for policy violations
Long-range pattern analysisIdentify slow-and-low attacks across months of data

Search job example

SecurityEvent
| where TimeGenerated between (ago(180d) .. ago(90d))
| where EventID == 4625  // Failed logon
| where TargetUserName == "admin"
| summarize FailedCount = count() by SourceIP = IpAddress, bin(TimeGenerated, 1d)

Submit this as a search job → results appear in SecurityEvent_SRCH → query the results table interactively.

💡 Scenario: Tyler retrohunts a new IOC

A threat intelligence report reveals that a C2 IP address (203.0.113.99) was used in attacks targeting tech companies 4 months ago. Tyler at CipherStack needs to check if any device connected to this IP during that period.

The data is in Data lake (Tyler moved network logs older than 90 days to save costs).

Tyler submits a search job:

DeviceNetworkEvents
| where TimeGenerated between (ago(180d) .. ago(90d))
| where RemoteIP == "203.0.113.99"
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort

The search job runs for 15 minutes, then results appear in DeviceNetworkEvents_SRCH. Tyler queries the results and finds 3 connections from a developer workstation 4 months ago. Investigation begins.

Summary rule tables

What are summary rules?

Summary rules are scheduled KQL queries that aggregate data into compact summary tables on a recurring basis (e.g., hourly or daily). They pre-compute common hunting and reporting patterns.

Why use summary rules?

ProblemSummary Rule Solution
Querying raw data is slow and expensiveSummary tables are small and fast to query
Daily/weekly reports need the same aggregationPre-compute once, query many times
Hunting patterns repeatSummarise common patterns (failed logins per user, network connections per device) for instant lookup
Data lake queries time outSummary rules run against Analytics tier before data ages out, storing results in a custom table with configurable retention

How to create a summary rule

  1. Write the aggregation query — what data to summarise
  2. Set the schedule — how often to run (hourly, daily)
  3. Define the destination table — where to store results (custom table)
  4. Configure retention — how long to keep summarised data

Example: daily failed login summary

SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != "0"  // Failed sign-ins
| summarize
    FailedCount = count(),
    UniqueIPs = dcount(IPAddress),
    Countries = make_set(LocationDetails.countryOrRegion)
    by UserPrincipalName
| where FailedCount > 5

This runs daily and stores results in a summary table. Hunting against the summary is instant — no need to scan millions of raw SigninLogs rows.

Search jobs are for on-demand historical queries; summary rules are for ongoing pre-aggregation
FeatureKQL Search JobsSummary Rule Tables
PurposeQuery historical/archived data on demandPre-aggregate data on a schedule for fast lookups
ExecutionAsynchronous (background)Scheduled (recurring)
Data sourceAny table including Data lakeAnalytics tier tables (before data ages out)
Results storage_SRCH table (temporary, 30 days default)Custom summary table (retention configurable, not permanent)
Best forOne-time historical investigation, retrohuntingOngoing aggregation, reporting, fast hunting lookups
Cost impactPay per query executionPay once for the scheduled run; queries against summary are cheap
Question

What is a KQL search job and when should you use one?

Click or press Enter to reveal answer

Answer

A KQL search job is an asynchronous query that runs against Data lake (or Analytics) data in the background. Results are stored in a _SRCH table for interactive querying. Use when: retrohunting historical IOCs, investigating historical breaches, or querying large archived datasets.

Click to flip back
Question

What are summary rule tables?

Click or press Enter to reveal answer

Answer

Scheduled KQL queries that aggregate data into compact summary tables on a recurring basis (hourly, daily). They pre-compute common patterns (failed logins, connections) so hunting and reporting queries against the summary are fast and cheap. Ideal for ongoing monitoring across large datasets.

Click to flip back
Question

What is the naming convention for search job result tables?

Click or press Enter to reveal answer

Answer

Search job results are stored in a table named {OriginalTable}_SRCH. For example, a search job against SecurityEvent creates results in SecurityEvent_SRCH. Results are retained for a configured period (default 30 days).

Click to flip back
Knowledge Check

Tyler discovers a new IOC that was active 4 months ago. The relevant network data has been moved to the Data lake tier. How should he search for this IOC in historical data?

🎬 Video coming soon

Next up: The final module — hunting with Notebooks and connecting to the Sentinel MCP Server for advanced investigation workflows.

← Previous

Threat Analytics & Hunting Graphs

Next →

Notebooks & the Sentinel MCP Server

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.