KQL Security Sources
This blog is dedicated to providing some of the KQL security sources that I use regularly. Those sources can be really helpful to learn KQL, but also to improve your detection coverage in Defender For Endpoint (Advanced Hunting) or Sentinel (Analytics Rules)! Most of you know that I have my Github repository where I share KQL queries, even though I share some queries I also leverage a lot of other great community sources! If you are into KQL or want to get inspired I recommend checking all of them out!
Ever wondered if a search engine for KQL existed? The dream is over, it does exist! Ugur Koc has created a search engine for KQL queries for security and intune which can help you easily search for queries you need. At the moment of writing the engine has indexed more than 1400 unique KQL queries!
The Azure Sentinel Repository contains a lot of useful KQL queries, but also other Sentinel related information. The pages that are interesting to take a look at are:
- Solutions: This page provides analytics rules for each solution (if they have analytics rules)
- Hunting Queries provides hunting queries for each solution.
- Parsers: This section is more to manage the data into logical parts and to extract more fields to get better insights into the data by providing parsers for the solutions.
If you do not have Sentinel, you can still leverage this repository by using the E5 analytics rules for Advanced Hunting, you only need to change TimeGenerated to Timestamp and you are good to go!
Matt Zorich has created a beautiful collection of KQL queries in his GitHub repository. All queries are categorised by Microsoft product and that makes it easy to find the ones you need, or just to find inspiring ideas for new KQL queries.
Are you looking for advanced KQL detections? Then look no further and check out the GitHub repo of Falcon Force. All detections have been mapped to MITRE ATT&CK tactics and techniques to make it easier for you to create coverage on your gaps. My personal favourite is the detection for T1218.002.
The repository of Mehmet Ergene also contains some great KQL queries that also have been mapped to MITRE ATT&CK. This repo contains some really good KQL queries which help you to identify malicious activities.
This is my very own repository that contains a variety of KQL sources including, detection rules, threat hunting queries, MISP implementations, lolbin queries, functions and more. If one of those sounds interesting to you, then have a look!
Other notable sources
Because more and more repositories are being created I was not able to list them all with a small description, therefore I have added the links of some more notable repositories: