KQL - Detection & Threat Hunting

<a href="https://twitter.com/kj_ninja25"><img alt="X (formerly Twitter) Follow" src="https://img.shields.io/twitter/follow/kj_ninja25"></a>
<a href="https://www.linkedin.com/in/kijo-girardi/"><img src="https://img.shields.io/badge/-Linkedin-0077B5.svg?logo=linkedin&style=popout"></a>
<a href="https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/"><img src="https://img.shields.io/badge/Azure-KQL-00B2FF.svg?logo=microsoftazure&style=popout"></a>
<a href="https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/"><img src="https://img.shields.io/badge/Azure%20Data%20Explorer-%230078D4.svg?&style=popout&logo=azure%20data%20explorer&logoColor=white"/></a>

Being able to fully leverage the data you have means you can control all activities that occurred across all Defender's workloads.
However, starting from scratch can be challenging for some, and sample queries may not always suffice.
Therefore, in this repository on KQL-XDR-Hunting, I will be sharing 'out-of-the-box' KQL queries based on feedback, security blogs, and new cyber attacks to assist you in your threat hunting.

LearningKijo/KQL repo architecture

Category	Products
Endpoint	- Microsoft Defender for Endpoint <br> - Microsoft Defender Antivirus
Email	- Exchange Online Protection <br> - Microsoft Defender for Office 365
Identity	- Microsoft Entra ID (Azure AD) <br> - Microsoft Defender for Identity

LOGs

Category	Links
Detection	XDR-SIEM-Detection
Detection	Microsoft Security Threat Insight 2023
Detection	Microsoft Security Threat Insight 2024

Usage

[!Note]
If you would like to change some lines, you can even change them by yourself and adjust them depending on what data you want to take out.

Disclaimer

The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.