Giters

invokethreatguy / Hunting-Queries-Detection-Rules

Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

KQL Advanced Hunting Queries & Analytics Rules Tweet

Threat Hunting and Detection rules for Defender For Endpoint & Azure Sentinel

This repository will be used to publish Hunting Queries or Detection rules that can be used within Azure Sentinel or Defender For Endpoint. The queries are written in KQL they can be used within Sentinel to build Analytics Rules or in Defender For Endpoint (with minor adjustments). If you have any questions feel free to reach out to me on twitter @BertJanCyber.

The queries are split into the following categories:

How to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

Threat Hunting and Detection rules for Defender For Endpoint & Azure Sentinel

This repository will be used to publish Hunting Queries or Detection rules that can be used within Azure Sentinel or Defender For Endpoint. The queries are written in KQL they can be used within Sentinel to build Analytics Rules or in Defender For Endpoint (with minor adjustments). If you have any questions feel free to reach out to me on twitter @BertJanCyber.

How to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

About

Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.