Welcome to the M365 Defender Hunting Queries repository. This repository contains a collection of Kusto Query Language (KQL) scripts designed to detect and analyze security events in Microsoft 365 Defender. The queries are organized into separate directories for Azure, Defender XDR, and Sentinel.
- Azure: Contains KQL queries for hunting and analyzing security events in Azure.
- Defender XDR: Contains KQL queries for extended detection and response (XDR) in Microsoft Defender.
- Sentinel: Contains KQL queries for Microsoft Sentinel, a cloud-native SIEM solution.
- Defender for O365: Contains KQL queries for monitoring and analyzing security events in Microsoft Defender for Office 365.
To get started with using the queries in this repository, follow these steps:
-
Clone the repository to your local machine:
git clone https://github.com/your-username/M365-Defender-Hunting-Queries.git
-
Navigate to the directory of your choice (Azure, Defender XDR, or Sentinel) to find the relevant queries.
-
Use the queries in your Microsoft 365 Defender environment to enhance your security monitoring and threat detection capabilities.
Script written by David Bouhadana.
- Blog: M365 journey
This project is licensed under GNU GPL 3. You are free to use, modify, and distribute this code as long as the modifications and derived versions are also licensed under GNU GPL 3. For more information, please refer to the full license text GNU GPL 3.