Skip to content

crtvrffnrt/KQL

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
parser
parser
 
 
AiTMphishingCaseDectection.kql
AiTMphishingCaseDectection.kql
 
 
Alertonnewadminpermission.kql
Alertonnewadminpermission.kql
 
 
BasicAuthBruteforceApache_Syslog
BasicAuthBruteforceApache_Syslog
 
 
DetectMaliciousorunwantedSoftware.kql
DetectMaliciousorunwantedSoftware.kql
 
 
DirBruteforceApache_Syslog
DirBruteforceApache_Syslog
 
 
IPinvestigation.kql
IPinvestigation.kql
 
 
MaliciouSignIn-from-BlacklistedIP.kql
MaliciouSignIn-from-BlacklistedIP.kql
 
 
Portscanfromipusersignedin.kql
Portscanfromipusersignedin.kql
 
 
README.md
README.md
 
 
UAL-MaliciousMailAccess.kql
UAL-MaliciousMailAccess.kql
 
 
addlocaladmin.kql
addlocaladmin.kql
 
 
defenderservicetampering
defenderservicetampering
 
 
detectDisableRealtimeMonitoring.kql
detectDisableRealtimeMonitoring.kql
 
 
detectavexclutions.kql
detectavexclutions.kql
 
 
detectectmanyavdetections.kql
detectectmanyavdetections.kql
 
 
detectfwbypass.kql
detectfwbypass.kql
 
 
detectmacrodocuments.kql
detectmacrodocuments.kql
 
 
executionofmaliciousfiletype
executionofmaliciousfiletype
 
 
findbotnetipinevent.kql
findbotnetipinevent.kql
 
 
localrecondetect.kql
localrecondetect.kql
 
 
logo.png
logo.png
 
 
malmfareg.kql
malmfareg.kql
 
 
malnetconnect.kql
malnetconnect.kql
 
 
malurlclick.kql
malurlclick.kql
 
 
malurldetected.kql
malurldetected.kql
 
 
nmapactivitydetected.kql
nmapactivitydetected.kql
 
 
nmapvulnscan.kql
nmapvulnscan.kql
 
 
oauth_suspicious_redirect_callback_uri.kql
oauth_suspicious_redirect_callback_uri.kql
 
 
possible-linux-reverse-shell-scriptcontent.kql
possible-linux-reverse-shell-scriptcontent.kql
 
 
potentialspoofingmail.kql
potentialspoofingmail.kql
 
 
realtimeprotectionoff.kql
realtimeprotectionoff.kql
 
 
risky_or_vip_user_security_info_change.kql
risky_or_vip_user_security_info_change.kql
 
 
suspiciousregkey
suspiciousregkey
 
 

Repository files navigation

KQL Hunter logo

KQL Hunter

Compact, practical KQL for hunting, triage, and quick investigation pivots.

Identity Mailbox Endpoint Network Defender

IdentityMailboxEndpointNetworkDefender

A grab-and-go set of queries for everyday defensive hunting.

At a Glance

  • Fast triage and hunting queries
  • Reusable patterns for common investigations
  • Focused on Microsoft Sentinel, Defender, and UAL-style telemetry
  • Easy to tweak for your tenant, entity, or time window

Identity

Queries for suspicious sign-ins, admin changes, impossible travel, and account activity pivots.

Mailbox

Queries for phishing, malicious mail access, inbox abuse, and suspicious URL or attachment activity.

Endpoint

Queries for malware execution, persistence, remote tools, suspicious scripts, and host reconnaissance.

Network

Queries for botnet activity, Nmap-style scanning, brute force patterns, and unusual remote connections.

Defender

Queries for tampering, realtime protection changes, AV exclusions, firewall bypass, and other control-disabling behavior.

Structure

  • Root .kql files cover the main hunts and detections
  • parser/ contains UAL parsing helpers

Use

Open a query, swap in your entity or IP, adjust the time window, and run it in your hunting workspace.

About

KQL Collection

www.patrick-binder.de/

Topics

defender kql detection-engineering microsoft-sentinel defender-xdr kql-queries

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors