{"id":13520640,"url":"https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules","last_synced_at":"2025-03-31T18:31:10.808Z","repository":{"id":41122758,"uuid":"498037475","full_name":"Bert-JanP/Hunting-Queries-Detection-Rules","owner":"Bert-JanP","description":"KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules \u0026 Hunting Rules. ","archived":false,"fork":false,"pushed_at":"2025-03-03T08:49:07.000Z","size":965,"stargazers_count":1396,"open_issues_count":0,"forks_count":258,"subscribers_count":66,"default_branch":"main","last_synced_at":"2025-03-29T09:06:04.798Z","etag":null,"topics":["azure","blueteam","cybersecurity","defender-for-endpoint","dfir","infosec","kql","mde","mdi","misp","security","sentinel","threat-hunting","vulnerability-management","zero-day"],"latest_commit_sha":null,"homepage":"https://kqlquery.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Bert-JanP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"Security Operations/ComparisonIntuneandMDEDevices.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-30T17:28:10.000Z","updated_at":"2025-03-28T16:04:59.000Z","dependencies_parsed_at":"2023-09-26T23:42:13.312Z","dependency_job_id":"adc03c70-111d-42e6-aec3-df914a1095d5","html_url":"https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules","commit_stats":{"total_commits":368,"total_committers":15,"mean_commits":"24.533333333333335","dds":"0.11141304347826086","last_synced_commit":"685738e989a39f9a36dfa391379cb94eaead8681"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FHunting-Queries-Detection-Rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FHunting-Queries-Detection-Rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FHunting-Queries-Detection-Rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FHunting-Queries-Detection-Rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Bert-JanP","download_url":"https://codeload.github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246517743,"owners_count":20790479,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","blueteam","cybersecurity","defender-for-endpoint","dfir","infosec","kql","mde","mdi","misp","security","sentinel","threat-hunting","vulnerability-management","zero-day"],"created_at":"2024-08-01T06:00:19.247Z","updated_at":"2025-03-31T18:31:10.797Z","avatar_url":"https://github.com/Bert-JanP.png","language":"Python","funding_links":[],"categories":["Other Lists","Queries","Detection Content \u0026 Signatures"],"sub_categories":["📡 Detection Resources"],"readme":"# KQL Sentinel \u0026 Defender queries \n\n[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=KQL%20Detection%20Rules!%20MDE%20and%20Sentinel!\u0026url=https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules)\n\n```\n██   ██  ██████  ██                                                                                     \n██  ██  ██    ██ ██                                                                                     \n█████   ██    ██ ██                                                                                     \n██  ██  ██ ▄▄ ██ ██                                                                                     \n██   ██  ██████  ███████                                                                                \n            ▀▀                                                                                          \n                                                                                                        \n█  ██████  ██████  ██ ███    ██ ████████   ██  ██     ██ ███████ ██       ██████  ██████  ███    ███ ███████ ██\n█  ██   ██ ██   ██ ██ ████   ██    ██          ██     ██ ██      ██      ██      ██    ██ ████  ████ ██      \n█  ██████  ██████  ██ ██ ██  ██    ██          ██  █  ██ █████   ██      ██      ██    ██ ██ ████ ██ █████   \n█  ██      ██   ██ ██ ██  ██ ██    ██          ██ ███ ██ ██      ██      ██      ██    ██ ██  ██  ██ ██      \n█  ██      ██   ██ ██ ██   ████    ██           ███ ███  ███████ ███████  ██████  ██████  ██      ██ ███████ \n```\n\n\n# KQL for Defender For Endpoint \u0026 Microsoft Sentinel\nThe purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on Twitter [@BertJanCyber](https://twitter.com/BertJanCyber). \n\n**Presenting this material as your own is illegal and forbidden. A reference to Twitter [@BertJanCyber](https://twitter.com/BertJanCyber) or Github [@Bert-JanP](https://github.com/Bert-JanP) is much appreciated when sharing or using the content.**\n\n## KQL Blogs\nMore detailed KQL information can be found on my blog page: https://kqlquery.com. Some KQL related blogs:\n- [KQL Functions For Security Operations](https://kqlquery.com/posts/kql-for-security-operations/)\n- [KQL Functions For Network Operations](https://kqlquery.com/posts/kql-for-network-operations/)\n- [Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)](https://kqlquery.com/posts/kql-incident-response/)\n- [Incident Response Part 2: What about the other logs?](https://kqlquery.com/posts/kql-incident-response-everything-else/)\n- [From Threat Report to (KQL) Hunting Query](https://kqlquery.com/posts/from-threat-report-to-hunting-query/)\n- [Prioritize Vulnerabilities Using The CISA Known Exploited Vulnerabilities Catalog](https://kqlquery.com/posts/prioritize-vulnerabilities-cisa/)\n- [KQL Security Sources - 2024 Update](https://kqlquery.com/posts/kql-sources-2024-update/)\n- [Detecting Post-Exploitation Behaviour](https://kqlquery.com/posts/detecting-post-exploitation-behaviour/)\n- [Investigating Microsoft Graph Activity Logs](https://kqlquery.com/posts/graphactivitylogs/)\n- [Audit Defender XDR Activities](https://kqlquery.com/posts/audit-defender-xdr/)\n- [Use Cases For Sentinel Summary Rules](https://kqlquery.com/posts/sentinel-summary-rules/)\n- [Unleash The Power Of DeviceTvmInfoGathering](https://kqlquery.com/posts/devicetvminfogathering/)\n\nFor Sentinel Automations see the Repository [Sentinel-Automation](https://github.com/Bert-JanP/Sentinel-Automation).\n\n# KQL Categories\n\nThe queries in this repository are split into different categories. The MITRE ATT\u0026CK category contains a list of queries mapped to the tactics of the MITRE Framework. The product section contains queries specific to Microsoft security products. The Processes section contains several queries that can be used in common cyber processes to make things easier for security analysts. In addition, there is a special category for Zero Day detections. Lastly, there is an informational section that explains the use of KQL using examples. \n\n## MITRE ATT\u0026CK\n\n- [MITRE ATT\u0026CK Mapping](./MITRE%20ATT%26CK/Mapping.md)\n\n## Products\n- [Defender For Endpoint detection rules](./Defender%20For%20Endpoint)\n- [Defender For Identity detection rules](./Defender%20For%20Identity)\n- [Defender For Cloud Apps detection rules](./Defender%20For%20Cloud%20Apps)\n- [Defender For Office 365](./Office%20365)\n- [Defender XDR](./Defender%20XDR)\n- [Azure Active Directory](./Azure%20Active%20Directory)\n- [Microsoft Sentinel](./Sentinel)\n- [MISP](./MISP)\n- [Windows Security Events](./Windows%20Security%20Events)\n- [Graph API](./Graph%20API/)\n- [Windows Security Events](./SecurityEvents/)\n\n## Security Processes\n- [Digital Forensics and Incident Response](./DFIR)\n- [Threat Hunting](./Threat%20Hunting)\n- [Full Threat Hunting Cases](./Threat%20Hunting%20Cases)\n- [Vulnerability Management](./Vulnerability%20Management)\n\n## Informational \n\n- [KQL helpful functions](./Functions/)\n- [KQL Regex Example List](./KQL%20Regex/RegexExamples.md)\n- [Azure Resource Graph](./Azure%20Resource%20Graph/)\n\n# Contributions\nEveryone can submit contributions to this repository via a Pull Request. If you want to contribute the [Detection Template](#detection-template) needs to be used. Besides that the query needs to be able to run and be readable. To give credit where credit is due the top contributors are listed in the [Top Contributors section](#top-contributors).\n\n## Top contributors\n| Name | Queries added | GitHub | Twitter | Query Links |\n|------|---------------|--------|---------| ---------|\n|  [Gavin Knapp](https://www.linkedin.com/in/grjk83/)    |    10           |   [@m4nbat](https://github.com/m4nbat)     | [@knappresearchlb](https://twitter.com/knappresearchlb)      | \u003cul\u003e\u003cli\u003e[NetSupport running from unexpected directory (FIN7)](./Defender%20For%20Endpoint/ttp_t1219_netsupportrat_fin7.md)\u003c/li\u003e\n| | | |  | \u003cul\u003e\u003cli\u003e[Abusing PowerShell to disable Defender components](./Defender%20For%20Endpoint/ttp_t1562-001_disabledefender.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Suspicious network connection from MSBuild](./Defender%20For%20Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[PowerShell Encoded Command](./Defender%20For%20Endpoint/ttp_t1027-010_powershellEncodedCommand.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[PowerShell Launching Scripts From WindowsApps Directory (FIN7)](./Defender%20For%20Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Azure ARC Related Persistence Detection](./Defender%20For%20Endpoint/nf_ttp_t1543_scattered-spider_azure_arc_persistence.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Scattered Spider Defense Evasion via Conditional Access Policies Detection](./Azure%20Active%20Directory/nf_ttp_t1562.001_scattered-spider_abuse%20conditional_access_trusted_locations.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Check for Phishing Emails Using IPFS in Phishing Campaigns](./Threat%20Hunting/TI%20Feed%20-%20ipfs_phishing.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Kerberos attacks](./Defender%20For%20Endpoint/nf_ttp_generic_kerberos_attacks.md)\u003c/li\u003e|\n| | | |  | \u003cul\u003e\u003cli\u003e[PowerShell Creating LNK Files within a Startup Directory Detection](./Defender%20For%20Endpoint/nf_ttp_t1547-001_yellowcockatoo_powershell_create_link_in_startup)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Ransomware Leaksite Monitoring](./Threat%20Hunting/Ransomware%20-%20LeaksiteMontitoring.md)\u003c/li\u003e| \n|  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    4           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | \u003cul\u003e\u003cli\u003e[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)\u003c/li\u003e\n| | | |  | \u003cul\u003e\u003cli\u003e[Detect Known RAT RMM Process Patterns](./Defender%20For%20Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[NTDS.DIT File Modifications](./Defender%20For%20Endpoint/NTDSDitFileModifications.md)\u003c/li\u003e| \n| | | |  | \u003cul\u003e\u003cli\u003e[Custom Detection Report](./Defender%20XDR/CustomDetectionReport.md)\u003c/li\u003e| \n|  [Babak Mahmoodizadeh](https://www.linkedin.com/in/babak-mhz/)    |    2           |   [@babakmhz](https://github.com/babakmhz)     | [@Babakmhz](https://twitter.com/Babakmhz)       | \u003cul\u003e\u003cli\u003e[WebShell Detection](./Defender%20For%20Endpoint/WebshellDetection.md)\u003c/li\u003e |\n| | | |  | \u003cul\u003e\u003cli\u003e[List AD Delegations](./Windows%20Security%20Events/ListADDelegations.md)\u003c/li\u003e|\n|  [Deepak Kumar Ray](https://www.linkedin.com/in/deepak2/)    |    1           |      | [@roydeepakku](https://twitter.com/roydeepakku)      | \u003cul\u003e\u003cli\u003e[CEF MultiSource IP](./MISP/Sentinel/CEF-MultiSource-IP.txt)\u003c/li\u003e |\n|  [Guy Sukerman](https://www.linkedin.com/in/guy-sukerman-2002451aa/)    |    1           |   [@guys1444](https://github.com/guys1444)   |     | \u003cul\u003e\u003cli\u003e[Anomalous Amount of URLClickEvents](./Office%20365/AnomalousAmountofURLClickEvents.md)\u003c/li\u003e |\n|  [ch4meleon](https://github.com/ch4meleon)   |    1           |   -  |     | \u003cul\u003e\u003cli\u003e[PowerShell Executions From Clipboard](./Defender%20For%20Endpoint/PowerShellExecutionsFromClipboard.md)\u003c/li\u003e |\n\n\n### Detection Template\nThe *[Detection Template](./DetectionTemplate.md)* can be used to standardize the detections in your own repository. This could help others to easily parse the content of the repository to collect the query and the metadata. The following repositories have already been standardized in this manner:\n- https://github.com/alexverboon/Hunting-Queries-Detection-Rules - By Alex Verboon\n- https://github.com/KustoKing/Hunting-Queries-Detection-Rules - By Gianni Castaldi\n- https://github.com/SlimKQL/Hunting-Queries-Detection-Rules - By Steven Lim\n- https://github.com/SecurityAura/DE-TH-Aura - By SecurityAura\n\nIf your repository is not yet listed, feel free to create a pull request (PR) or reach out via message to have it added.\n# Where to use KQL in Defender For Endpoint \u0026 Sentinel?\n\n## Defender XDR\n* Open  [security.microsoft.com](https://www.security.microsoft.com)\n* Hunting\n* Advanced Hunting\n\n## Sentinel\n* Open [portal.azure.com](https://www.portal.azure.com)\n* Search for Sentinel\n* Open Sentinel\n* Logs\n\n# KQL Defender For Endpoint vs Sentinel\n\nKQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.\n\nQuickstart Defender For Endpoint\n```\nDeviceEvents\n| where Timestamp \u003e ago(7d)\n| take 10\n```\n\nQuickstart Azure Sentinel\n```\nDeviceEvents\n| where TimeGenerated \u003e ago(7d)\n| take 10\n```\n\n# KQL Sources\n\n## Documentation\n\n| Link | Description |\n| ------ | ----------- |\n| [KQL Quick Reference Guide](https://docs.microsoft.com/en-us/azure/data-explorer/kql-quick-reference)  | KQL Quick Reference Guide |\n| [KQL Tutorial](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuredataexplorer) | KQL Tutorial | \n| [KQL Cheat Sheet PDF](https://github.com/marcusbakker/KQL/blob/master/kql_cheat_sheet.pdf) | KQL Cheat Sheet |\n\n## Respostiories\nThe community respostiories are available [here](./Community%20Repositories.md)\n\n## Other\n\n| Link | Description |\n| ------ | ----------- |\n| [kqlsearch.com](https://www.kqlsearch.com/)  | KQL Search Engine |\n| [Kusto Insights Newsletter](https://kustoinsights.substack.com/) | Kusto Insights newsletter |\n| [The Definitive Guide to KQL](https://www.amazon.com/Definitive-Guide-KQL-Operations-Defending/dp/0138293384) | Using Kusto Query Language for Operations, Defending, and Threat Hunting |\n| [Kusto Query Internals](https://identityandsecuritydotcom.files.wordpress.com/2020/05/kql_internals_sentinel.pdf) | Hunting TTPs with Azure Sentinel |\n| [Microsoft Sentinel Analytics Rules](https://analyticsrules.exchange/) | Microsoft Sentinel Analytics Rules |\n| [KQL Internals](https://identityandsecuritydotcom.files.wordpress.com/2020/05/kql_internals_sentinel.pdf) | Kusto Query Internals: Hunting TTPs with Azure Sentinel |\n| [Advanced Hunting Expert Training](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-expert-training) | Advanced Hunting Expert Training |\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBert-JanP%2FHunting-Queries-Detection-Rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBert-JanP%2FHunting-Queries-Detection-Rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBert-JanP%2FHunting-Queries-Detection-Rules/lists"}