This tutorial demonstrates how to join tables in KQL for Advanced Hunting so you can enrich one dataset with context from another. It explains why joins matter (threat signals are spread across different tables), then walks through join types and patterns—matching on shared keys, choosing inner vs leftouter depending on whether you want to keep unmatched rows, and reducing performance cost by filtering early. The demo shows how to use join to connect related events (like device activity with URL clicks, file activity, or identity context), then clean up the output with project to keep only the columns you need.
We produced this as a hands-on KQL technique lesson: the visuals stay close on the query edits and results so viewers can see enrichment happen in real time, and the pacing slows at the “this join type changes your result set” moments so the concept sticks. Final delivery includes closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
