https://github.com/SlimKQL/Hunting-Queries-Detection-Rules
KQL Queries. Microsoft Defender, Microsoft Sentinel
https://github.com/SlimKQL/Hunting-Queries-Detection-Rules
azure defender defenderxdr kql microsoft mitre-attack sentinel threatdetection threathunting
Last synced: 2 months ago
JSON representation
KQL Queries. Microsoft Defender, Microsoft Sentinel
- Host: GitHub
- URL: https://github.com/SlimKQL/Hunting-Queries-Detection-Rules
- Owner: SlimKQL
- License: bsd-3-clause
- Created: 2024-08-02T06:30:38.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2025-02-11T08:05:21.000Z (3 months ago)
- Last Synced: 2025-02-11T09:32:43.763Z (3 months ago)
- Topics: azure, defender, defenderxdr, kql, microsoft, mitre-attack, sentinel, threatdetection, threathunting
- Language: HTML
- Homepage: https://steven.lim.name
- Size: 835 KB
- Stars: 445
- Watchers: 29
- Forks: 73
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - SlimKQL/Hunting-Queries-Detection-Rules - KQL Queries. Microsoft Defender, Microsoft Sentinel (HTML)
- awesome-detection-engineer - KQL Queries | SlimKQL - Collection of KQL queries. (Uncategorized / Uncategorized)
- awesome-detection-engineer - KQL Queries | SlimKQL - Collection of KQL queries. (Uncategorized / Uncategorized)
README
KQL Sentinel & Defender queries
KQL for Defender XDR, Microsoft Sentinel & other Microsoft Solutions
The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on [Linkedin Steven Lim](https://www.linkedin.com/in/0x534c/)
Presenting this material as your own is illegal and forbidden. A reference to Linkedin @0x534c or Github @SLimKQL is much appreciated when sharing or using the content.
[SlimKQL Hunting-Queries-Detection-Rules](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules)
- [Azure KQLs](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/tree/main/Azure)
- [DefenderXDR KQLs](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/tree/main/DefenderXDR)
- [Sentinel KQLs](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules/tree/main/Sentinel)