Skip to content

alexverboon/Hunting-Queries-Detection-Rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

KQL Sentinel & Defender queries

KQL for Defender XDR, Microsoft Sentinel & other Microsoft Solutions

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter @AlexVerboon.

Presenting this material as your own is illegal and forbidden. A reference to Twitter @AlexVerboon or Github AlexVerboon is much appriciated when sharing or using the content.

Credits

@BertJanCyber - The content structure of this repository was adopted from Bert-Jan's KQL repository

KQL Queries: While I have personally authored the majority of the KQL queries stored here, it is important to note that as I continue to collect queries in my daily work, the repository may also include KQL code contributed by others. I make every effort to acknowledge and credit the original creators whenever I have information about them.

In addition to the queries I have written myself, it's worth mentioning that certain queries within the repository may be direct copies of those found in Microsoft's online documentation and blog posts.

KQL Categories

The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products.

MITRE ATT&CK

Products & Log Sources