KQL queries

This repository contains KQL queries for advanced hunting in Microsoft Defender ATP and Azure Sentinel.

Source: https://github.com/Neo23x0/sigma/tree/master/rules

Wortell Enterprise Security
Creating a safer world, one organization at a time_

https://security.wortell.nl

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
AzSentinel		AzSentinel
KQL_apt_apt29_thinktanks.txt		KQL_apt_apt29_thinktanks.txt
KQL_apt_babyshark.txt		KQL_apt_babyshark.txt
KQL_apt_bear_activity_gtr19.txt		KQL_apt_bear_activity_gtr19.txt
KQL_apt_cloudhopper.txt		KQL_apt_cloudhopper.txt
KQL_apt_dragonfly.txt		KQL_apt_dragonfly.txt
KQL_apt_elise.txt		KQL_apt_elise.txt
KQL_apt_empiremonkey.txt		KQL_apt_empiremonkey.txt
KQL_apt_equationgroup_dll_u_load.txt		KQL_apt_equationgroup_dll_u_load.txt
KQL_apt_hurricane_panda.txt		KQL_apt_hurricane_panda.txt
KQL_apt_judgement_panda_gtr19.txt		KQL_apt_judgement_panda_gtr19.txt
KQL_apt_pandemic.txt		KQL_apt_pandemic.txt
KQL_apt_slingshot.txt		KQL_apt_slingshot.txt
KQL_apt_sofacy.txt		KQL_apt_sofacy.txt
KQL_apt_sofacy_zebrocy.txt		KQL_apt_sofacy_zebrocy.txt
KQL_apt_ta17_293a_ps.txt		KQL_apt_ta17_293a_ps.txt
KQL_apt_tropictrooper.txt		KQL_apt_tropictrooper.txt
KQL_apt_turla_namedpipes.txt		KQL_apt_turla_namedpipes.txt
KQL_apt_unidentified_nov_18.txt		KQL_apt_unidentified_nov_18.txt
KQL_apt_zxshell.txt		KQL_apt_zxshell.txt
KQL_auditligs_pim_requests		KQL_auditligs_pim_requests
KQL_auditlogs_newly_created_users		KQL_auditlogs_newly_created_users
KQL_azureactivity_new_role_assignments		KQL_azureactivity_new_role_assignments
KQL_azureactivity_password_reset_linux		KQL_azureactivity_password_reset_linux
KQL_azurediagnostics_sql_logins		KQL_azurediagnostics_sql_logins
KQL_crime_fireball.txt		KQL_crime_fireball.txt
KQL_officeactivity_get_exchange_events		KQL_officeactivity_get_exchange_events
KQL_officeactivity_onedrive_events		KQL_officeactivity_onedrive_events
KQL_officeactivity_sentinel		KQL_officeactivity_sentinel
KQL_officeactivity_sharepoint_onedrive_events		KQL_officeactivity_sharepoint_onedrive_events
KQL_powershell_xor_commandline.txt		KQL_powershell_xor_commandline.txt
KQL_securityalerts_mcas		KQL_securityalerts_mcas
KQL_securityevents_windows_logins		KQL_securityevents_windows_logins
KQL_signinlogs_AzurePortal		KQL_signinlogs_AzurePortal
KQL_syslog_cron_events		KQL_syslog_cron_events
KQL_sysmon_susp_rdp.txt		KQL_sysmon_susp_rdp.txt
KQL_threatintelligenceindicator		KQL_threatintelligenceindicator
KQL_win_GPO_scheduledtasks.txt		KQL_win_GPO_scheduledtasks.txt
KQL_win_account_backdoor_dcsync_rights.txt		KQL_win_account_backdoor_dcsync_rights.txt
KQL_win_account_discovery.txt		KQL_win_account_discovery.txt
KQL_win_admin_rdp_login.txt		KQL_win_admin_rdp_login.txt
KQL_win_admin_share_access.txt		KQL_win_admin_share_access.txt
KQL_win_alert_active_directory_user_control.txt		KQL_win_alert_active_directory_user_control.txt
KQL_win_alert_ad_user_backdoors.txt		KQL_win_alert_ad_user_backdoors.txt
KQL_win_alert_enable_weak_encryption.txt		KQL_win_alert_enable_weak_encryption.txt
KQL_win_alert_hacktool_use.txt		KQL_win_alert_hacktool_use.txt
KQL_win_atsvc_task.txt		KQL_win_atsvc_task.txt
KQL_win_attrib_hiding_files.txt		KQL_win_attrib_hiding_files.txt
KQL_win_bypass_squiblytwo.txt		KQL_win_bypass_squiblytwo.txt
KQL_win_cmdkey_recon.txt		KQL_win_cmdkey_recon.txt
KQL_win_cmstp_com_object_access.txt		KQL_win_cmstp_com_object_access.txt
KQL_win_dcsync.txt		KQL_win_dcsync.txt
KQL_win_disable_event_logging.txt		KQL_win_disable_event_logging.txt
KQL_win_exploit_cve_2015_1641.txt		KQL_win_exploit_cve_2015_1641.txt
KQL_win_exploit_cve_2017_0261.txt		KQL_win_exploit_cve_2017_0261.txt
KQL_win_exploit_cve_2017_11882.txt		KQL_win_exploit_cve_2017_11882.txt
KQL_win_exploit_cve_2017_8759.txt		KQL_win_exploit_cve_2017_8759.txt
KQL_win_hack_rubeus.txt		KQL_win_hack_rubeus.txt
KQL_win_impacket_secretdump.txt		KQL_win_impacket_secretdump.txt
KQL_win_lethalhta.txt		KQL_win_lethalhta.txt
KQL_win_lm_namedpipe.txt		KQL_win_lm_namedpipe.txt
KQL_win_mal_adwind.txt		KQL_win_mal_adwind.txt
KQL_win_mal_lockergoga.txt		KQL_win_mal_lockergoga.txt
KQL_win_mal_ursnif.txt		KQL_win_mal_ursnif.txt
KQL_win_mal_wannacry.txt		KQL_win_mal_wannacry.txt
KQL_win_mal_wceaux_dll.txt		KQL_win_mal_wceaux_dll.txt
KQL_win_malware_dridex.txt		KQL_win_malware_dridex.txt
KQL_win_malware_notpetya.txt		KQL_win_malware_notpetya.txt
KQL_win_malware_script_dropper.txt		KQL_win_malware_script_dropper.txt
KQL_win_malware_wannacry.txt		KQL_win_malware_wannacry.txt
KQL_win_mavinject_proc_inj.txt		KQL_win_mavinject_proc_inj.txt
KQL_win_mshta_spawn_shell.txt		KQL_win_mshta_spawn_shell.txt
KQL_win_net_ntlm_downgrade.txt		KQL_win_net_ntlm_downgrade.txt
KQL_win_netsh_fw_add.txt		KQL_win_netsh_fw_add.txt
KQL_win_netsh_port_fwd.txt		KQL_win_netsh_port_fwd.txt
KQL_win_netsh_port_fwd_3389.txt		KQL_win_netsh_port_fwd_3389.txt
KQL_win_office_shell.txt		KQL_win_office_shell.txt
KQL_win_overpass_the_hash.txt		KQL_win_overpass_the_hash.txt
KQL_win_pass_the_hash.txt		KQL_win_pass_the_hash.txt
KQL_win_plugx_susp_exe_locations.txt		KQL_win_plugx_susp_exe_locations.txt
KQL_win_possible_applocker_bypass.txt		KQL_win_possible_applocker_bypass.txt
KQL_win_powershell_amsi_bypass.txt		KQL_win_powershell_amsi_bypass.txt
KQL_win_powershell_b64_shellcode.txt		KQL_win_powershell_b64_shellcode.txt
KQL_win_powershell_dll_execution.txt		KQL_win_powershell_dll_execution.txt
KQL_win_powershell_download.txt		KQL_win_powershell_download.txt
KQL_win_powershell_renamed_ps.txt		KQL_win_powershell_renamed_ps.txt
KQL_win_powershell_suspicious_parameter_variation.txt		KQL_win_powershell_suspicious_parameter_variation.txt
KQL_win_process_creation_bitsadmin_download.txt		KQL_win_process_creation_bitsadmin_download.txt
KQL_win_psexesvc_start.txt		KQL_win_psexesvc_start.txt
KQL_win_rdp_bluekeep_poc_scanner.txt		KQL_win_rdp_bluekeep_poc_scanner.txt
KQL_win_rdp_localhost_login.txt		KQL_win_rdp_localhost_login.txt
KQL_win_rdp_reverse_tunnel.txt		KQL_win_rdp_reverse_tunnel.txt
KQL_win_sdbinst_shim_persistence.txt		KQL_win_sdbinst_shim_persistence.txt
KQL_win_shell_spawn_susp_program.txt		KQL_win_shell_spawn_susp_program.txt
KQL_win_spn_enum.txt		KQL_win_spn_enum.txt
KQL_win_susp_add_sid_history.txt		KQL_win_susp_add_sid_history.txt
KQL_win_susp_bcdedit.txt		KQL_win_susp_bcdedit.txt
KQL_win_susp_calc.txt		KQL_win_susp_calc.txt
KQL_win_susp_certutil_command.txt		KQL_win_susp_certutil_command.txt
KQL_win_susp_certutil_encode.txt		KQL_win_susp_certutil_encode.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

KQL queries

About

Uh oh!

Releases

Packages

License

rev10d/KQL

Folders and files

Latest commit

History

Repository files navigation

KQL queries

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Packages