KQL Advanced Hunting Queries & Analytics Rules

██   ██  ██████  ██                                                                                     
██  ██  ██    ██ ██                                                                                     
█████   ██    ██ ██                                                                                     
██  ██  ██ ▄▄ ██ ██                                                                                     
██   ██  ██████  ███████                                                                                
            ▀▀                                                                                          
                                                                                                        
█  ██████  ██████  ██ ███    ██ ████████   ██  ██     ██ ███████ ██       ██████  ██████  ███    ███ ███████ ██
█  ██   ██ ██   ██ ██ ████   ██    ██          ██     ██ ██      ██      ██      ██    ██ ████  ████ ██      
█  ██████  ██████  ██ ██ ██  ██    ██          ██  █  ██ █████   ██      ██      ██    ██ ██ ████ ██ █████   
█  ██      ██   ██ ██ ██  ██ ██    ██          ██ ███ ██ ██      ██      ██      ██    ██ ██  ██  ██ ██      
█  ██      ██   ██ ██ ██   ████    ██           ███ ███  ███████ ███████  ██████  ██████  ██      ██ ███████ 

KQL for Defender For Endpoint & Microsoft Sentinel

The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations. Anyone is free to use the queries. If you have any questions feel free to reach out to me on twitter @BertJanCyber.

KQL Categories

The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framwork. The product section contains queries specific to Microsoft security products. The Processes section contains several queries that can be used in common cyber processes to make things easier for security analysts. In addition, there is a special category for Zero Day detections. Lastly, there is an informational section that explains the use of KQL using examples.

MITRE ATT&CK

• MITRE ATT&CK Mapping

Products

• Defender For Endpoint detection rules
• Defender For Identity detection rules
• Defender For Cloud Apps detection rules
• Defender For Office 365
• Azure Active Directory
• Microsoft Sentinel

Security Processes

• Digital Forensics and Incident Response
• Threat Hunting
• Full Threat Hunting Cases
• Vulnerability Management

Zero Day Detections

• Zero Day Detection

Informational

• KQL Regex Example List

Where to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

• Open security.microsoft.com
• Hunting
• Advanced Hunting

Sentinel

• Open portal.azure.com
• Search for Sentinel
• Open Sentinel
• Logs

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

KQL Useful Documentation

• KQL Quick Reference Guide
• KQL Tutorial
• KQL Cheat Sheet PDF