KQL - Detection & Threat Hunting

<a href="https://twitter.com/kj_ninja25"><img alt="X (formerly Twitter) Follow" src="https://img.shields.io/twitter/follow/kj_ninja25"></a> <a href="https://www.linkedin.com/in/kijo-girardi/"><img src="https://img.shields.io/badge/-Linkedin-0077B5.svg?logo=linkedin&style=popout"></a> <a href="https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/"><img src="https://img.shields.io/badge/Azure-KQL-00B2FF.svg?logo=microsoftazure&style=popout"></a> <a href="https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/"><img src="https://img.shields.io/badge/Azure%20Data%20Explorer-%230078D4.svg?&style=popout&logo=azure%20data%20explorer&logoColor=white"/></a>

Being able to fully leverage the data you have means you can control all activities that occurred across all Defender's workloads. However, starting from scratch can be challenging for some, and sample queries may not always suffice. Therefore, in this repository on KQL-XDR-Hunting, I will be sharing 'out-of-the-box' KQL queries based on feedback, security blogs, and new cyber attacks to assist you in your threat hunting.

LearningKijo/KQL repo architecture

| Category | Products | | :------------- | :------------- | | Endpoint | - Microsoft Defender for Endpoint <br> - Microsoft Defender Antivirus | | Email | - Exchange Online Protection <br> - Microsoft Defender for Office 365 | | Identity | - Microsoft Entra ID (Azure AD) <br> - Microsoft Defender for Identity |

LOGs | Category | Links | | :------------- | :------------- | | Detection | XDR-SIEM-Detection | | Detection | Microsoft Security Threat Insight 2023 | | Detection | Microsoft Security Threat Insight 2024 |

Usage

[!Note] If you would like to change some lines, you can even change them by yourself and adjust them depending on what data you want to take out.

Disclaimer

The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.