KQL Security Sources - 2024 Update
It is great to see that more and more repositories, blogs and other sources share security related KQL content. Therefore this post provides an updated list of KQL Security Sources to start the new year. These sources can help you to kickstart your KQL knowledge for the upcoming year, by providing learning material, detection rules, hunting queries and many more.
The image below shows the increase in KQL repositories and the adoption from the community, they are becoming more and more popular, due to companies shifting to Microsoft Security solutions. Those KQL repositories can provide advanced detections, visualisations and hunting queries to detect the bad. I am very curious how this will develop in 2024. You can follow the changes live by following this link.
KQL Sources
| Link | Description |
|---|---|
| kqlsearch.com | KQL Search Engine |
| Kusto Insights Newsletter | Kusto Insights newsletter |
| The Definitive Guide to KQL | Using Kusto Query Language for Operations, Defending, and Threat Hunting |
| Kusto Query Internals | Hunting TTPs with Azure Sentinel |
GitHub Repositories
| Link | Description | Stars |
|---|---|---|
| Azure Sentinel Repository - Azure | Cloud-native SIEM for intelligent security analytics for your entire enterprise |  |
| Sentinel-Queries - reprise99 | Collection of KQL queries |  |
| Falcon Friday - FalconForceTeam | Hunting queries and detections |  |
| Threat-Hunting-and-Detection - Cyb3r-Monk | Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language). |  |
| Hunting-Queries-Detection-Rules - Bert-JanP | KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. |  |
| AzSentinelQueries - f-bader | Repository with Sentinel Analytics Rules and Hunting Queries |  |
| KQL-threat-hunting-queries - cyb3rmik3 | A repository of KQL queries focused on threat hunting and threat detecting for Microsoft Sentinel & Microsoft XDR (Former Microsoft 365 Defender). |  |
| KQL - Wortell | KQL queries for Advanced Hunting |  |
| SentinelKQL - rod-trent | Azure Sentinel KQL |  |
| Sentinel_KQL - ep3p | In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool). |  |
| AdvancedHuntingQueries - lawndoc | Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant |  |
| MDATP AdvancedHunting - JesseEsquivel | Microsoft Defender Advanced Threat Protection |  |
| KQL - mjmelone | Michael Melone’s Kusto Query library |  |
| AzureSentinel - Cloud-Architekt | Sharing my KQL queries for Azure Sentinel |  |
| Hunting-Queries-Detection-Rules - alexverboon | KQL Queries. Microsoft 365 Defender, Microsoft Sentinel |  |
| KQL Security Queries - Shivammalaviya | KQL Security Queries |  |
| Invictus-training - KQL-QueryPack - invictus-ir | Invictus: Cloud Incident Response Query Pack |  |
| DefenderATPQueries - 0xAnalyst | Hunting Queries for Defender ATP |  |
| LearningKijo/KQL | Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. |  |
| awesomekql - awesomekql | Microsoft Sentinel, Defender for Endpoint - KQL Detection Packs |  |
| Hunting-Queries-Detection-Rules - KustoKing | KQL Detections for Microsoft Sentinel and Microsoft 365 Defender |  |
| KQL- mr-r3b00t | This is for my crappy (but hopefully useful) MDE and Sentinel KQL queries! #KQLThePlanet |  |
| MustLearnKQL - rod-trent | Code included as part of the MustLearnKQL blog series |  |
| kql-for-dfir - reprise99 | A guide to using Azure Data Explorer and KQL for DFIR |  |
If you have additions please let me know!
Questions? Feel free to reach out to me on any of my socials.