/LearningKijo-KQL

Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint.

KQL - Detection & Threat Hunting

X (formerly Twitter) Follow

Being able to fully leverage the data you have means you can control all activities that occurred across all Defender's workloads. However, starting from scratch can be challenging for some, and sample queries may not always suffice. Therefore, in this repository on KQL-XDR-Hunting, I will be sharing 'out-of-the-box' KQL queries based on feedback, security blogs, and new cyber attacks to assist you in your threat hunting.

LearningKijo/KQL repo architecture

Category Products
Endpoint - Microsoft Defender for Endpoint
- Microsoft Defender Antivirus
Email - Exchange Online Protection
- Microsoft Defender for Office 365
Identity - Microsoft Entra ID (Azure AD)
- Microsoft Defender for Identity

LOGs

Category Links
Detection XDR-SIEM-Detection
Detection Microsoft Security Threat Insight 2023
Detection Microsoft Security Threat Insight 2024

Usage

image

Note

If you would like to change some lines, you can even change them by yourself and adjust them depending on what data you want to take out.

Disclaimer

The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.