How to get started with investigations
Written by
Updated at April 3, 2026
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
In this tutorial, you will create an investigation and run your first KQL (Kusto Query Language) query.
Getting started
The YCDR section will appear in the Security Deck interface after the access request is approved.
You will need the ycdr.admin role to work with investigations.
Create an investigation
- Go to Security Deck.
- In the left-hand panel, select YCDR.
- Navigate to the Investigations tab.
- Click New investigation.
- Enter a name for your investigation, e.g.,
Failed login analysis. - Under Description, add a description:
Searching for failed console login attempts within the last 30 minutes.
Create a query
-
In the query editor, enter the following KQL query:
Events | project event_class, ['time'] | limit 1This query:
- Selects events from the
Eventstable. - Displays the
event_classandtimefields. - Limits the result to a single entry.
- Selects events from the
-
Set the time period to Last 30 minutes.
-
Click the query run button.
Analyze the results
After the query is completed, the results are displayed in a table with the following fields:
event_class: Event classtime: Event time
This is an example of a simple query which checks service performance. For more complex analysis, use additional queries and filters.
What's next
- Learn more about investigations and queries.
- Learn how to manage investigations.
- Explore working with queries.
- Review the KQL reference.