Step 1 Visit detection.wiki/labs and select a lab. Click "Copy init KQL" to copy the bootstrap query. If JavaScript isn't enabled, you'll be sent to a GitHub page — select all and copy to clipboard instead.
Step 2 A new window opens to Azure Data Explorer, which requires a Microsoft account. If you don't have one, click "Create one!" to make a free account.
Step 3 Click "Create one!" to begin creating your free Microsoft account.
Step 4 Enter your email address to create a new Microsoft account. Then click "Next".
Step 5 Verify your email by entering the code Microsoft sent to your inbox.
Step 6 Enter your country/region and date of birth, then click "Next".
Step 7 Enter your first and last name for your Microsoft account.
Step 8 Complete the human verification challenge. Press and hold the button as instructed.
Step 9 Microsoft will prompt you to set up a passkey. Allow Bluetooth if prompted by your browser.
Step 10 Choose where to save your passkey. You can use a phone/tablet or a USB security key.
Step 11 Follow the passkey setup steps on your device.
Step 12 Wait while the passkey is being set up. Your device and browser are communicating to finish the process.
Step 13 On your phone, scan the QR code displayed on screen to complete passkey setup.
Step 14 Your passkey has been created successfully. You can now use biometrics or a PIN to sign in. Click "OK".
Step 15 Choose whether to stay signed in. Click "Yes" for convenience.
Step 16 Azure Data Explorer opens with an empty query editor. Dismiss the tutorial popup by clicking "Dismiss".
Step 17 Open Settings (gear icon) to configure your preferences.
Step 18 (Optional) Go to Appearance and select "Dark" from the Theme dropdown.
Step 19 The Dark theme is now applied. Close the Settings panel.
Step 20 Click "My cluster" in the left sidebar, then click "Create cluster and database".
Step 21 Name your cluster (e.g. "MyFreeCluster") and database (e.g. "DetLabs"). Select a cluster location and click "Create".
Step 22 Your free cluster and database are now created. You can see "MyFreeCluster > DetLabs" in the left panel.
Step 23 Go back to the detection.wiki tab and click "Copy init KQL" again. Paste the KQL into the query editor window.
Step 24 The KQL bootstrap script is loaded. It creates tables, functions, and ingests data. Click "Run" to execute.
Step 25 The query is now running. This process takes about 30–45 seconds. A progress bar will appear at the bottom.
Step 26 The query completes with 124 records. Tables and functions have been created, and data ingestion has started.
Step 27 All tables are now visible in the left panel under your DetLabs database. Expand to see DeviceEvents, SecurityEvent, and more.
Step 28 Run a test query. You can type WindowsEvent | take 10 to see ten rows from the WindowsEvent table.