A curated repository of KQL queries and IoCs for threat hunting and detection in Microsoft Sentinel and Microsoft Defender XDR. This project is aimed at Security Engineers, SOC Analysts, and Threat Hunters.
This repository is a collection of Kusto Query Language (KQL) queries and Indicators of Compromise (IoCs) designed to help security professionals detect and hunt for threats within Microsoft's security ecosystem. The queries are organized by product and use case to make them easy to find and use.
The repository is organized as follows:
.
├── Sentinel/ # Queries for Microsoft Sentinel
├── XDR/ # Queries for Microsoft Defender XDR
│ ├── Defender Advanced Hunting/
│ ├── Email/
│ ├── Endpoints/
│ ├── Identities/
│ └── MDVM/
├── IOC/ # Indicators of Compromise
│ ├── APT/
│ ├── CVE/
│ └── Malware/
├── Frontend/ # Frontend for displaying queries
└── ...
To use these queries, you can either clone this repository or browse the files directly.
git clone https://github.com/timosarkar/kql.gitThe queries are in .kql files and can be copied and pasted directly into the advanced hunting interface of the respective Microsoft security product.
A web frontend is available to search and view all queries in this repository. It can be accessed here:
https://timosarkar.github.io/kql/
The Sentinel/ directory contains queries for use in Microsoft Sentinel. These queries cover a range of detection and hunting scenarios.
The XDR/ directory contains queries for use in Microsoft Defender XDR's advanced hunting. The queries are categorized by the different data sources within Defender XDR.
- Defender Advanced Hunting: Queries for general advanced hunting.
- Email: Queries for hunting in email data.
- Endpoints: Queries for endpoint data.
- Identities: Queries for identity data.
- MDVM: Queries for Microsoft Defender Vulnerability Management.
Contributions are welcome! If you have a query or IoC that you would like to add, please open a pull request. Please follow the existing directory structure and naming conventions.
This project is licensed under the MIT License - see the LICENSE file for details.