In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Type: Query
By: @falconforceteam
Link: github.com/FalconForceTea…
This repository contains very good detections and hunting queries that look for malicious behaviour that does not trigger a default alert. The queries can be complex, but a clear explanation is provided.
By: @falconforceteam
Link: github.com/FalconForceTea…
This repository contains very good detections and hunting queries that look for malicious behaviour that does not trigger a default alert. The queries can be complex, but a clear explanation is provided.
Type: Query
By: @rodtrent
Link: github.com/rod-trent/Sent…
Repository with all kinds of detections, also including queries for non-Microsoft products.
By: @rodtrent
Link: github.com/rod-trent/Sent…
Repository with all kinds of detections, also including queries for non-Microsoft products.
Type: Query
By: @alexverboon
Link: github.com/alexverboon/MD…
This repo contains some great advanced hunting queries. Additionally, it also contains a lot of information additional information about KQL.
By: @alexverboon
Link: github.com/alexverboon/MD…
This repo contains some great advanced hunting queries. Additionally, it also contains a lot of information additional information about KQL.
Type: Query
By: @BertJanCyber
Link: github.com/Bert-JanP/Hunt…
KQL detections & hunting queries for all Microsoft Security Products. Roughly 150 queries are added. MITRE ATT&CK mapping has also been implemented where applicable.
By: @BertJanCyber
Link: github.com/Bert-JanP/Hunt…
KQL detections & hunting queries for all Microsoft Security Products. Roughly 150 queries are added. MITRE ATT&CK mapping has also been implemented where applicable.
Type: Query
By: @UgurKocDe
Link: github.com/ugurkocde/KQL_…
KQL can be used in a variety of places and if you use Intune, this repository is worth checking out! If you send Intune data to Sentinel you can also use the queries in Sentinel.
By: @UgurKocDe
Link: github.com/ugurkocde/KQL_…
KQL can be used in a variety of places and if you use Intune, this repository is worth checking out! If you send Intune data to Sentinel you can also use the queries in Sentinel.
Type: Query
By: @cylaris_rg
Link: github.com/cylaris/awesom…
This repository contains KQL queries based on research performed by Cylaris Threat Research Group (TRG).
By: @cylaris_rg
Link: github.com/cylaris/awesom…
This repository contains KQL queries based on research performed by Cylaris Threat Research Group (TRG).
Type: Query
By: @Thomas_Live
Link: github.com/Cloud-Architek…
A repository with mostly Azure Active Directory based kql queries.
By: @Thomas_Live
Link: github.com/Cloud-Architek…
A repository with mostly Azure Active Directory based kql queries.
Type: Learning
By: @rodtrent
Link: github.com/rod-trent/Must…
If you want to get started with KQL this is your place to be! It contains a guide on how to get started with practical examples.
By: @rodtrent
Link: github.com/rod-trent/Must…
If you want to get started with KQL this is your place to be! It contains a guide on how to get started with practical examples.
Type: Learning
By: @reprise_99
Link: github.com/reprise99/awes…
The readme says it all: "A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel"
By: @reprise_99
Link: github.com/reprise99/awes…
The readme says it all: "A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel"
Type: Learning
By: @roy_samik
Link: youtube.com/@samikroy/vide…
This is a very recent addition to the list of sources. This channel contains videos with explanations of how to use the basic KQL functionalities.
By: @roy_samik
Link: youtube.com/@samikroy/vide…
This is a very recent addition to the list of sources. This channel contains videos with explanations of how to use the basic KQL functionalities.
Type: Learning
By: @KqlCafe
Link: kqlcafe.github.io/website/
The KQL is a monthly event virtual cafe where @alexverboon & @castello_johnny share KQL knowledge with all of you. If you are interested you can watch sessions from most of the KQL developers mentioned in this thread!
By: @KqlCafe
Link: kqlcafe.github.io/website/
The KQL is a monthly event virtual cafe where @alexverboon & @castello_johnny share KQL knowledge with all of you. If you are interested you can watch sessions from most of the KQL developers mentioned in this thread!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
 
