KQL Detections for Microsoft Sentinel and Microsoft 365 Defender
The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter @castello_johnny.
Presenting this material as your own is illegal and forbidden. A reference to Twitter @castello_johnny or Github KustoKing is much appriciated when sharing or using the content.
@castello_johnny - The content structure of this repository was adopted from KustoKings's KQL repository
KQL Queries: While I have personally authored the majority of the KQL queries stored here, it is important to note that as I continue to collect queries in my daily work, the repository may also include KQL code contributed by others. I make every effort to acknowledge and credit the original creators whenever I have information about them.
In addition to the queries I have written myself, it's worth mentioning that certain queries within the repository may be direct copies of those found in Microsoft's online documentation and blog posts.
The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products.
- Active Directory
- Microsoft 365 Defender
- Microsoft 365 Defender For Endpoint
- Microsoft 365 Defender For Identity
- Microsoft 365 Defender For Cloud Apps
- Microsoft 365 Defender For Office 365
- Microosft 365 Defender External Attack Surface Management
- Microsoft Entra ID
- Microsoft Sentinel
- Vulnerability Management