Skip to content

Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Notifications You must be signed in to change notification settings

0x000Akbar/Hunting-Queries-Detection-Rules

 
 

Repository files navigation

KQL Advanced Hunting Queries & Analytics Rules Tweet

██   ██  ██████  ██                                                                                     
██  ██  ██    ██ ██                                                                                     
█████   ██    ██ ██                                                                                     
██  ██  ██ ▄▄ ██ ██                                                                                     
██   ██  ██████  ███████                                                                                
            ▀▀                                                                                          
                                                                                                        
█  ██████  ██████  ██ ███    ██ ████████   ██  ██     ██ ███████ ██       ██████  ██████  ███    ███ ███████ ██
█  ██   ██ ██   ██ ██ ████   ██    ██          ██     ██ ██      ██      ██      ██    ██ ████  ████ ██      
█  ██████  ██████  ██ ██ ██  ██    ██          ██  █  ██ █████   ██      ██      ██    ██ ██ ████ ██ █████   
█  ██      ██   ██ ██ ██  ██ ██    ██          ██ ███ ██ ██      ██      ██      ██    ██ ██  ██  ██ ██      
█  ██      ██   ██ ██ ██   ████    ██           ███ ███  ███████ ███████  ██████  ██████  ██      ██ ███████ 

KQL for Defender For Endpoint & Microsoft Sentinel

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter @BertJanCyber.

KQL Categories

The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products. The Processes section contains several queries that can be used in common cyber processes to make things easier for security analysts. In addition, there is a special category for Zero Day detections. Lastly, there is an informational section that explains the use of KQL using examples.

MITRE ATT&CK

Products

Security Processes

Zero Day Detections

Informational

Where to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

KQL Useful Documentation

About

Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published