What started as a single blog in 2023 is now becoming a yearly tradition. Each year, the KQL community expands with new repositories and queries. The list does not cover just security, but also Intune, Entra, and Azure Monitor.

This year, an extra step is taken to remove some AI generated slop repositories from the list to share correct example repositories.

Happy New Year to all of you!

Highlights

#100DaysOfKQL

Starting the highlights of this year with the #100DaysOfKQL series done by SecurityAura. From January 1, 2025, to April 12, 2025 he has posted some awesome content every day. All KQL queries are stored in the 100DaysOfKQL folder in his query repository.

Link	Description	Stars
DE-TH-Aura - SecurityAura	Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration).

Graph Queries

In 2025 more graph based queries started to be shared on GitHub, one of the people who contributed multiple graph based detections is Thomas Verheyden. He has shared multiple graph based queries for Microsoft Exporsure Management in his repository. The queries can both be used as example to lean more about graph semantics and get valuable insights from the shared queries.

Link	Description	Stars
Microsoft-Exposure-management - v3rtho	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

HybridBrothers

Last but not least, the repository of the HybridBrothers is part of the highlighted Kusto content of 2025. They already started posting in 2024, but they leveled up their game in the last year by adding valuable queries for the community.

Link	Description	Stars
Hunting-Queries-Detection-Rules - HybridBrothers	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

GitHub Repositories

New GitHub Repositories

Listing the repositories that were added to the list in 2025.

Link	Description	Stars
Azure-SecOps - AttacktheSOC	Collection of different Azure/Entra focused solutions (Deployable templates, Function Apps, etc)
Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender - SubashGhimire	KQL Sentinel and Defender Detection and Hunting Queries.
Hunting-Queries-Detection-Rules - HybridBrothers	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior
KQLAdvancedHunting - benscha	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior
Defender-for-endpoint - v3rtho	Guidance scripts related to Defender For Endpoint: installation, prereq check, configuration etc
Microsoft-Exposure-management - v3rtho	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

KQL Community Repositories

Link	Description	Stars
Azure Sentinel Repository - Azure	Cloud-native SIEM for intelligent security analytics for your entire enterprise
Sentinel-Queries - reprise99	Collection of KQL queries
Falcon Friday - FalconForceTeam	Hunting queries and detections
Threat-Hunting-and-Detection - Cyb3r-Monk	Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language).
Hunting-Queries-Detection-Rules - Bert-JanP	KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
AzSentinelQueries - f-bader	Repository with Sentinel Analytics Rules and Hunting Queries
KQL-threat-hunting-queries - cyb3rmik3	A repository of KQL queries focused on threat hunting and threat detecting for Microsoft Sentinel & Microsoft XDR (Former Microsoft 365 Defender).
KQL - Wortell	KQL queries for Advanced Hunting
SentinelKQL - rod-trent	Azure Sentinel KQL
Sentinel_KQL - ep3p	In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool).
AdvancedHuntingQueries - lawndoc	Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant
MDATP AdvancedHunting - JesseEsquivel	Microsoft Defender Advanced Threat Protection
KQL - mjmelone	Michael Melone’s Kusto Query library
AzureSentinel - Cloud-Architekt	Sharing my KQL queries for Azure Sentinel
Hunting-Queries-Detection-Rules - alexverboon	KQL Queries. Microsoft 365 Defender, Microsoft Sentinel
KQL Security Queries - Shivammalaviya	KQL Security Queries
Invictus-training - KQL-QueryPack - invictus-ir	Invictus: Cloud Incident Response Query Pack
DefenderATPQueries - 0xAnalyst	Hunting Queries for Defender ATP
LearningKijo/KQL	Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint.
awesomekql - awesomekql	Microsoft Sentinel, Defender for Endpoint - KQL Detection Packs
Hunting-Queries-Detection-Rules - KustoKing	KQL Detections for Microsoft Sentinel and Microsoft 365 Defender
KQL- mr-r3b00t	This is for my crappy (but hopefully useful) MDE and Sentinel KQL queries! #KQLThePlanet
MustLearnKQL - rod-trent	Code included as part of the MustLearnKQL blog series
kql-for-dfir - reprise99	A guide to using Azure Data Explorer and KQL for DFIR
Invictus-training - Invictus	Cloud Incident Response Query Pack
MDATP - JesseEsquivel	Microsoft Defender Advanced Threat Protection
DefenderATPQueries - 0xAnalyst	Hunting Queries for Defender ATP
KQL - LearningKijo	Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint.
KQL - KostasKoutrou	KQL Queries for Advanced Hunting / Log Analytics
Sentinel-queries - samilamppu	Sentinel-queries
KustQueryLanguage_kql - m4nbat	Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting
DE-TH-Aura - SecurityAura	Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration).
Threat-Hunting-KQL-Queries	Threat-Hunting-KQL-Queries
Kustonomicon	The Kustonomicon is your reference companion for navigating the depths of Kusto Query Language (KQL).
KQL_Intune	KQL_Intune
Azure-SecOps - AttacktheSOC	Collection of different Azure/Entra focused solutions (Deployable templates, Function Apps, etc)
Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender - SubashGhimire	KQL Sentinel and Defender Detection and Hunting Queries.
Hunting-Queries-Detection-Rules - HybridBrothers	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior
KQLAdvancedHunting - benscha	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior
Defender-for-endpoint - v3rtho	Guidance scripts related to Defender For Endpoint: installation, prereq check, configuration etc
Microsoft-Exposure-management - v3rtho	The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

In case you cannot wait for new updates until next year, I keep track of the list during the year on GitHub: KQL Community Repositories

KQL Sources

If you have additions, please let me know!

Questions? Feel free to reach out to me on any of my socials.