Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
github.com/rod-trent/Sent… by @rodtrent. If you want to start using #KQL take a look at his 'Must Learn KQL' series: github.com/rod-trent/Must…
github.com/wortell/KQL by @wortell. The focus of those queries is on Windows Event based detection and some other sources. If you ingest those logs into Sentinel definitely take a look at this one!
github.com/alexverboon/MD… Great Defender For Endpoint Advanced Hunting rules by @alexverboon. They can also be used in Sentinel if you ingest your DFE data.
github.com/FalconForceTea… by @falconforceteam. The queries are again categorized by Mitre Att&ck tactic and technique. They have some advanced detections in there.
Lastly my own KQL repo: github.com/Bert-JanP/Hunt…. At the moment more than 30 queries have been added. This one is recently created and every week new queries will be added.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
