You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each .kql file is fully self-contained with inline documentation: purpose, MITRE mappings, data source requirements, tunable thresholds, and tuning guidance.
Comprehensive phishing triage correlating email delivery, URL clicks, attachments, endpoint file activity, reply behavior, and post-delivery ZAP actions into a single view per recipient.
Alerts on confirmed malware verdicts from Cato's inline Anti Malware engine, covering both blocked and allowed files with severity escalation when malware passes through unblocked.
Detects files written to USB drives with enrichment from fleet-wide PnP events, providing VID_PID, InstancePathId, and SerialNumberId for Intune device control cross-referencing.
Detects periodic beaconing behavior from browser processes to external domains, designed to catch automated data exfiltration by malicious extensions at ~30-minute intervals.
Multi-signal detection for mass device wipe/retire/delete via Microsoft Intune, inspired by the Stryker/Handala attack. Combines static velocity thresholds, bulk operator detection, first-time operator baselining, UEBA anomaly correlation, and ML behavioral anomaly detection with tiered severity escalation.
Security Operations
Operational queries for triage, enrichment, and validation — not tied to a specific ATT&CK technique.
Configurable query to track and deduplicate alert emails from an MSSP, using session logic to group email bursts and extract case numbers from portal URLs.
Multi-layer aggregation of Imperva WAF blocked requests, enriched with ASN/organization data, rolling up from pattern to attack type to IP to organization for threat analysis.
Identifies accounts with the highest email volume and threat exposure, including a key risk metric for threats that bypassed filtering and reached user inboxes.
Hunting query to validate whether a device flagged by a decommissioned-asset detection exhibits sporadic legitimate use. Builds a daily timeline across logon, process, and network telemetry over a configurable lookback window.
🛠️ Platforms & Compatibility
Platform
Status
Notes
Microsoft Sentinel
Primary
All queries use TimeGenerated
Defender XDR Advanced Hunting
Compatible
Replace TimeGenerated with Timestamp where noted
📝 Getting Started
Browse the query index above or explore the tactic folders directly.
Copy the .kql file contents into your Sentinel Logs or Defender Advanced Hunting query editor.
Configure the tunable parameters at the top of each query — time windows, thresholds, and exclusion lists — for your environment.
Deploy as an analytics rule or run ad-hoc for hunting and triage.
Tip: Each query includes inline comments explaining every section. Start with the configuration block and read the purpose header to understand what the query surfaces and how to tune it.
📄 License
These queries are shared for the benefit of the security community. Use and modify them freely. Attribution is appreciated but not required.
About
This repo will contain hunting and detection queries in the Kusto Query Language (KQL). I will eventually add queries that are in the Sigma language due the ability to translate them into any querying language.
