Skip to content

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

License

Notifications You must be signed in to change notification settings

Bert-JanP/Hunting-Queries-Detection-Rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

KQL Sentinel & Defender queries Tweet

██   ██  ██████  ██                                                                                     
██  ██  ██    ██ ██                                                                                     
█████   ██    ██ ██                                                                                     
██  ██  ██ ▄▄ ██ ██                                                                                     
██   ██  ██████  ███████                                                                                
            ▀▀                                                                                          
                                                                                                        
█  ██████  ██████  ██ ███    ██ ████████   ██  ██     ██ ███████ ██       ██████  ██████  ███    ███ ███████ ██
█  ██   ██ ██   ██ ██ ████   ██    ██          ██     ██ ██      ██      ██      ██    ██ ████  ████ ██      
█  ██████  ██████  ██ ██ ██  ██    ██          ██  █  ██ █████   ██      ██      ██    ██ ██ ████ ██ █████   
█  ██      ██   ██ ██ ██  ██ ██    ██          ██ ███ ██ ██      ██      ██      ██    ██ ██  ██  ██ ██      
█  ██      ██   ██ ██ ██   ████    ██           ███ ███  ███████ ███████  ██████  ██████  ██      ██ ███████ 

KQL for Defender For Endpoint & Microsoft Sentinel

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on Twitter @BertJanCyber.

Presenting this material as your own is illegal and forbidden. A reference to Twitter @BertJanCyber or Github @Bert-JanP is much appreciated when sharing or using the content.

KQL Blogs

More detailed KQL information can be found on my blog page: https://kqlquery.com. Some KQL related blogs:

For Sentinel Automations see the Repository Sentinel-Automation.

KQL Categories

The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framework. The product section contains queries specific to Microsoft security products. The Processes section contains several queries that can be used in common cyber processes to make things easier for security analysts. In addition, there is a special category for Zero Day detections. Lastly, there is an informational section that explains the use of KQL using examples.

MITRE ATT&CK

Products

Security Processes

Zero Day Detections

Informational

Contributions

Everyone can submit contributions to this repository via a Pull Request. If you want to contribute the Detection Template needs to be used. Besides that the query needs to be able to run and be readable. To give credit where credit is due the top contributors are listed in the Top Contributors section.

Top contributors

Name Queries added GitHub Twitter Query Links
Gavin Knapp 10 @m4nbat @knappresearchlb
Alex Teixeira 4 @inodee @ateixei
Babak Mahmoodizadeh 2 @babakmhz @Babakmhz
Deepak Kumar Ray 1 @roydeepakku
Guy Sukerman 1 @guys1444

Detection Template

The Detection Template can be used to standardize the detections in your own repository. This could help others to easily parse the content of the repository to collect the query and the metadata. The following repositories have already been standardized in this manner:

If your repository is not yet listed, feel free to create a pull request (PR) or reach out via message to have it added.

Where to use KQL in Defender For Endpoint & Sentinel?

Defender XDR

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

KQL Sources

Documentation

Link Description
KQL Quick Reference Guide KQL Quick Reference Guide
KQL Tutorial KQL Tutorial
KQL Cheat Sheet PDF KQL Cheat Sheet

Respostiories

The community respostiories are available here

Other

Link Description
kqlsearch.com KQL Search Engine
Kusto Insights Newsletter Kusto Insights newsletter
The Definitive Guide to KQL Using Kusto Query Language for Operations, Defending, and Threat Hunting
Kusto Query Internals Hunting TTPs with Azure Sentinel
Microsoft Sentinel Analytics Rules Microsoft Sentinel Analytics Rules
KQL Internals Kusto Query Internals: Hunting TTPs with Azure Sentinel
Advanced Hunting Expert Training Advanced Hunting Expert Training

About

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages