Hunting-Queries-Detection-Rules icon indicating copy to clipboard operation
Hunting-Queries-Detection-Rules copied to clipboard

Published 20 hours ago verified publisher icon Bert-JanP

Metadata

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

KQL Advanced Hunting Queries & Analytics Rules Tweet

Threat Hunting and Detection rules for Defender For Endpoint & Azure Sentinel

This repository will be used to publish Hunting Queries or Detection rules that can be used within Azure Sentinel or Defender For Endpoint. The queries are written in KQL they can be used within Sentinel to build Analytics Rules or in Defender For Endpoint (with minor adjustments). If you have any questions feel free to reach out to me on twitter @BertJanCyber.

The queries are split into the following categories:

  • Zero Day Detection
  • Threat Hunting
  • Defender For Endpoint detection rules
  • Defender For Identity detection rules
  • Defender For Cloud Apps detection rules
  • Vulnerability Management
  • DFIR (Digital Forensics and Incident Response)
  • Azure Active Directory
  • Office 365
  • KQL Regex Example List

How to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

Threat Hunting and Detection rules for Defender For Endpoint & Azure Sentinel

This repository will be used to publish Hunting Queries or Detection rules that can be used within Azure Sentinel or Defender For Endpoint. The queries are written in KQL they can be used within Sentinel to build Analytics Rules or in Defender For Endpoint (with minor adjustments). If you have any questions feel free to reach out to me on twitter @BertJanCyber.

How to use KQL in Defender For Endpoint & Sentinel?

Defender For Endpoint

Sentinel

KQL Defender For Endpoint vs Sentinel

KQL queries can be used in both Defender For Endpoint and Azure Sentinel. The syntax is almost the same. The main difference is the field that indicates the time. It must be adjusted according to the product used. In Sentinel, the 'TimeGenerated' field is used. In DFE it is 'Timestamp'. The queries below show both in DFE and in Azure Sentinel 10 DeviceEvents of the last 7 days.

Quickstart Defender For Endpoint

DeviceEvents
| where Timestamp > ago(7d)
| take 10

Quickstart Azure Sentinel

DeviceEvents
| where TimeGenerated > ago(7d)
| take 10

KQL Useful Documentation

Metadata

1.0k
Stars
188
Forks
Watchers

Owner

verified publisher icon Bert-JanP

Metadata

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Back