This repo contains KQL querries shared by the KQL Cafe community.
Everyone can freely add a file for a new query or improve on existing queries. To help other users locate new queries quickly, we suggest that you:
- Create a new MarkDown file in the relevant folder based on the query submission template
- In the new file:
- Provide a name for the query that represents the components or activities that it searches for, e.g. AzureAD successful break glass account logon
- Describe the query and provide sufficient guidance when applicable
- If your query relates to security, select the MITRE ATT&CK categories that apply by marking the appropriate cell with a "v"
- Use the query name as the title, separating each word with a hyphen (-), e.g. azuread-breakglassaccount-logins.md
- For security related queries Include comments that explain the attack technique or anomaly being hunted. Otherwise just explain the purpose of the query. Whenever possible, provide links to related documentation.
If you are not familiar with GitHub you can also simply submit your code by creating an Issue and then use the New Query template