LearningKijo KQL Save
Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint.
KQL - Detection & Threat Hunting
Being able to fully leverage the data you have means you can control all activities that occurred across all Defender's workloads. However, starting from scratch can be challenging for some, and sample queries may not always suffice. Therefore, in this repository on KQL-XDR-Hunting, I will be sharing 'out-of-the-box' KQL queries based on feedback, security blogs, and new cyber attacks to assist you in your threat hunting.
LearningKijo/KQL repo architecture
| Category | Products |
|---|---|
| Endpoint | - Microsoft Defender for Endpoint - Microsoft Defender Antivirus |
| - Exchange Online Protection - Microsoft Defender for Office 365 |
|
| Identity | - Microsoft Entra ID (Azure AD) - Microsoft Defender for Identity |
| App & Data | TBD |
LOGs
| Category | Links |
|---|---|
| Detection | XDR-SIEM-Detection |
| Detection | Microsoft Security Threat Insight 2023 |
| Detection | Microsoft Security Threat Insight 2024 |
Usage
[!Note] If you would like to change some lines, you can even change them by yourself and adjust them depending on what data you want to take out.
Disclaimer
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
Open Source Agenda Badge
