kql

There are 10 repositories under kql topic.

• Bert-JanP / Hunting-Queries-Detection-Rules

  KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

  azuredefender-for-endpointdfirkqlsentinelthreat-huntingvulnerability-managementzero-dayblueteamcybersecuritymdemdiinfosecsecuritymisp
  Language:Python 1580
• sentinel-attack

  edoardogerosa / sentinel-attack

  Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK

  siemthreat-huntingazure-sentinelmitre-attacksysmonsysmon-configazureblue-teamcybersecurityloggingsecurity-toolsdetectionkqlworkbooksterraform-azure
  1073

• FalconForceTeam / FalconFriday

  Hunting queries and detections

  kqlblueteamhuntingpurpleteamsentineldefender-atpdefender-for-endpoint
  844
• Threat-Hunting-and-Detection

  Cyb3r-Monk / Threat-Hunting-and-Detection

  Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language).

  threat-huntingthreat-detectioncybersecuritydefender-for-endpointdetection-engineeringdfirkqlkusto-languagemicrosoft-sentinel
  Language:Jupyter Notebook 791

• SlimKQL / Hunting-Queries-Detection-Rules

  KQL Queries. Microsoft Defender, Microsoft Sentinel

  azuredefenderxdrkqlsentinelthreatdetectiondefendermicrosoftmitre-attackthreathunting
  Language:JavaScript 774

• cyb3rmik3 / KQL-threat-hunting-queries

  A repository of KQL queries focused on threat hunting and threat detecting for Microsoft Sentinel & Microsoft XDR (Former Microsoft 365 Defender).

  kqlkustomicrosoftsecuritycentersentinelkusto-querykusto-query-languagemicrosoft-365microsoft-365-defendermicrosoft-365-securitymicrosoft-securitymicrosoft-sentinelsecuritythreat-detectionthreat-huntthreat-huntingthreat-detectingmicrosoft-xdrmicrosoftxdr
  742
• KQL

  LearningKijo / KQL

  Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint.

  kqlthreat-huntingedrxdrincident-responsekusto
  483
• MDATP

  alexverboon / MDATP

  MDATP

  blogsdefender-for-endpointdefender-for-identitykqllearningmicrosoft-defender-xdrthreathuntingdefender-for-cloud-appsdefender-for-office-365
  Language:PowerShell 459

• cyb3rmik3 / MDE-DFIR-Resources

  A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

  curated-collectionscurated-listdfirdigital-forensicsdigital-forensics-incident-responseincident-responselive-responsemdemicrosoftmicrosoft-defender-for-endpointresourceskqlkustokusto-querykusto-query-language
  414

• ashwin-patil / blue-teaming-with-kql

  Repository with Sample KQL Query examples for Threat Hunting

  threat-huntingblueteamingazure-data-explorerazure-sentinelkqlsecuritysiemloganalyticsazure
  217
• Security-Copilot

  rod-trent / Security-Copilot

  My personal work with Copilot for Security

  codecopilotkqlpluginspromptssecurity
  Language:HTML 195

• alexverboon / Hunting-Queries-Detection-Rules

  KQL Queries. Microsoft Defender, Microsoft Sentinel

  detectionkqlsecuritysentineldfirhuntingdefenderforendpointdefenderforidentityazureazureaddefenderxdrentraid
  183

• wortell / KQL

  KQL queries for Advanced Hunting

  kqlsecurityhunting
  176

• getkirby / kql

  Kirby's Query Language API combines the flexibility of Kirby's data structures, the power of GraphQL and the simplicity of REST.

  kirbycmsapiqueryflat-filefile-basedheadless-cmsquery-languagejsonkqlkirby4kirby5
  Language:PHP 151

• ep3p / Sentinel_KQL

  In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool).

  microsoftsecurityazurekqlwatchlistkustosentinelsiementraentra-idmicrosoft-sentinel
  Language:XSLT 131

• f-bader / AzSentinelQueries

  Repository with Sentinel Analytics Rules, Hunting Queries and helpful external data sources.

  analytic-rulesdetectionshacktoberfestkqlkustosentinelthreat-hunting
  Language:Bicep 131

• lawndoc / AdvancedHuntingQueries

  Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant.

  securitycybersecuritykustokqlhuntingthreat-huntingdetectiondetection-engineeringmicrosoftmicrosoft365defender-for-endpointdefenderdefender-atpcyber-securityxdr
  129

• NeilMacMullen / kusto-loco

  C# KQL query engine with flexible I/O layers and visualization

  chartingdata-miningdata-visualizationkqlkusto
  Language:C# 111

• tobiasmcvey / kusto-queries

  example queries for learning the kusto language

  kusto-languagekqlkustoazureapplication-insights
  104

• jischell-msft / RemoteManagementMonitoringTools

  Collection of Remote Management Monitoring tool artifacts, for assisting forensics and investigations

  defender-for-endpointkqlmdesecuritythreat-huntingremotemanagementrmm
  Language:PowerShell 98

• globalbao / awesome-kql

  Collection of awesome KQL queries for use in Portal and via PowerShell - by @JesseLoudon

  azurekqlresource-graphkusto-languageazure-resource-graphazgraph
  90

• 0xAnalyst / DefenderATPQueries

  Hunting Queries for Defender ATP

  defender-atpdetection-engineeringdetection-ruleskqlmicrosoftsentinelthreat-hunting
  82

• DXC-0 / SOC-Ressources

  Repository for SOC analysts, queries to investigate, advanced hunting, sites for analysis, malware samples, courses to improve skills, IOC and monitoring.

  cybersecuritycyberdefenseedrsiemsocthreathuntingsocanalystblueteamblueteam-toolscyber-threat-intelligencecybersecurity-toolssecurityaqlkqlmdeqradarsplunkthreat-huntingsoc-analystsoc-analysts
  79
• SentinelARConverter

  f-bader / SentinelARConverter

  Sentinel Analytics Rule converter PowerShell module

  hacktoberfestcyber-securitykqlsentinel
  Language:PowerShell 65

• EEN421 / KQL-Queries

  Ian Hanley's deceptively simple KQL queries.

  azurecloud-securitycybersecuritydevsecopskqlmicrosoft-sentinel
  62

• HybridBrothers / Hunting-Queries-Detection-Rules

  The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

  defender-for-cloud-appsdefender-for-endpointdefender-for-identitydefender-xdrentra-idkqlmicrosoftmicrosoft-securitymicrosoft-sentinel
  59

• cylaris / awesomekql

  Microsoft Sentinel, Defender for Endpoint - KQL Detection Packs

  detection-rulessiemazuredetectionkql
  54

• eshlomo1 / CloudSec

  Welcome to the Cloud Security Toolkit repository, your all-in-one destination for cutting-edge cloud security resources! Whether you're diving into offensive strategies, mastering threat hunting, or bolstering your blue-team defenses, this repo has you covered.

  aws-securityazureazure-securitycloud-securitycloudsecuritydfirgcp-securityincident-responsekqlmicrosoftmicrosoft-sentinelmicrosoftsentinelsiemsocthreat-huntingthreat-intelligencecfir
  Language:PowerShell 37

• davidnx / baby-kusto-csharp

  A self-contained execution engine for the Kusto Query Language (KQL) written in C#

  kustoazure-data-explorerdata-sciencekql
  Language:C# 36

• Azure / pykusto

  Query Kusto like a pro from the comfort of your Jupyter notebook

  kustoazure-data-explorerquery-builderkqlanalyticsjupyter-notebook
  Language:Python 32

• noodlemctwoodle / pf-azure-sentinel

  Parse pfSense/OPNSense logs using Logstash, GeoIP tag entities, add additional context to logs, then send to Azure Sentinel for analysis.

  azure-sentinelpfsense-logsgeoiplogstashparsepfsensemaxmindmaxmind-geoipfirewall-logsvisualizationopnsenseopnsense-firewallpfsense-firewallopnsense-logsmonitorkqllinux-omssentinelsentinel-dashboardanalytics
  31

• ugurkocde / KQL-Search

  azureintunekqlsecurity
  Language:JavaScript 31

• alexverboon / DefenderResourceHub

  Defender Resource Hub

  defenderedrkqlmdemdimdosentinelxdrmdci
  Language:PowerShell 29

• microsoft / Fabric-RTA-FlightStream

  Microsoft Fabric Real-time Analytics flight streaming

  etlkqllakehousepowerbipyspark-notebookstreaming
  Language:Jupyter Notebook 21

• christosgalano / sKaleQL

  sKaleQL is an opinionated template repository for managing, executing, and organizing Kusto Query Language (KQL) queries against Azure Log Analytics Workspaces.

  automationazuredevopsdevsecopsgithub-actionskqltemplate-repositorykusto-query-languagelog-analyticssecurity
  19

• squaredup / samples

  A collection of sample dashboards, custom labels, mustaches, SQL scripts and PowerShell scripts to help you get the most out of SquaredUp. #community-powered

  powershell-scriptsmustachedashboardssql-scriptssquaredupcommunity-answerskqlkustojsonpowershelldashboardsamples
  Language:PowerShell 19