The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter @AlexVerboon.
Presenting this material as your own is illegal and forbidden. A reference to Twitter @AlexVerboon or Github AlexVerboon is much appriciated when sharing or using the content.
@BertJanCyber - The content structure of this repository was adopted from Bert-Jan's KQL repository
KQL Queries: While I have personally authored the majority of the KQL queries stored here, it is important to note that as I continue to collect queries in my daily work, the repository may also include KQL code contributed by others. I make every effort to acknowledge and credit the original creators whenever I have information about them.
In addition to the queries I have written myself, it's worth mentioning that certain queries within the repository may be direct copies of those found in Microsoft's online documentation and blog posts.
The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products.
- Defender XDR rules
- Defender For Endpoint detection rules
- Defender For Identity detection rules
- Defender For Cloud Apps detection rules
- App Governance
- Defender For Office 365
- Defender for IoT
- Azure Active Directory
- Active Directory
- Microsoft Sentinel
- Defender External Attack Surface Management
- Microsoft Security Exposure Management
- Azure Resxource Graph