Query Details

KQL Community Repositories

Community Repositories

Query

# KQL Community Repositories
| Link | Description | Stars |
| ------ | ----------- | ----- |
| [Azure Sentinel Repository - Azure](https://github.com/Azure/Azure-Sentinel) | Cloud-native SIEM for intelligent security analytics for your entire enterprise |![Stars](https://img.shields.io/github/stars/Azure/Azure-Sentinel?style=flat-square&labelColor=343b41) | 
| [Sentinel-Queries - reprise99](https://github.com/reprise99/Sentinel-Queries)    |  Collection of KQL queries | ![Stars](https://img.shields.io/github/stars/reprise99/Sentinel-Queries?style=flat-square&labelColor=343b41) | 
| [Falcon Friday - FalconForceTeam](https://github.com/FalconForceTeam/FalconFriday) | Hunting queries and detections | ![Stars](https://img.shields.io/github/stars/FalconForceTeam/FalconFriday?style=flat-square&labelColor=343b41) |
| [Threat-Hunting-and-Detection - Cyb3r-Monk](https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection) | Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language). | ![Stars](https://img.shields.io/github/stars/Cyb3r-Monk/Threat-Hunting-and-Detection?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-Detection-Rules - Bert-JanP](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules) | KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. | ![Stars](https://img.shields.io/github/stars/Bert-JanP/Hunting-Queries-Detection-Rules?style=flat-square&labelColor=343b41) |
| [AzSentinelQueries - f-bader](https://github.com/f-bader/AzSentinelQueries) | Repository with Sentinel Analytics Rules and Hunting Queries  | ![Stars](https://img.shields.io/github/stars/f-bader/AzSentinelQueries?style=flat-square&labelColor=343b41) |
| [KQL-threat-hunting-queries - cyb3rmik3](https://github.com/cyb3rmik3/KQL-threat-hunting-queries) | A repository of KQL queries focused on threat hunting and threat detecting for Microsoft Sentinel & Microsoft XDR (Former Microsoft 365 Defender).  | ![Stars](https://img.shields.io/github/stars/cyb3rmik3/KQL-threat-hunting-queries?style=flat-square&labelColor=343b41) |
| [KQL - Wortell](https://github.com/wortell/KQL) |  KQL queries for Advanced Hunting  | ![Stars](https://img.shields.io/github/stars/wortell/KQL?style=flat-square&labelColor=343b41) |
| [SentinelKQL - rod-trent](https://github.com/rod-trent/SentinelKQL) |  Azure Sentinel KQL  | ![Stars](https://img.shields.io/github/stars/rod-trent/SentinelKQL?style=flat-square&labelColor=343b41) |
| [Sentinel_KQL - ep3p](https://github.com/ep3p/Sentinel_KQL) | In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool). | ![Stars](https://img.shields.io/github/stars/ep3p/Sentinel_KQL?style=flat-square&labelColor=343b41) |
| [AdvancedHuntingQueries - lawndoc](https://github.com/lawndoc/AdvancedHuntingQueries) | Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant  | ![Stars](https://img.shields.io/github/stars/lawndoc/AdvancedHuntingQueries?style=flat-square&labelColor=343b41) |
| [MDATP AdvancedHunting - JesseEsquivel](https://github.com/JesseEsquivel/MDATP/tree/master/AdvancedHunting) | Microsoft Defender Advanced Threat Protection  | ![Stars](https://img.shields.io/github/stars/JesseEsquivel/MDATP?style=flat-square&labelColor=343b41) |
| [KQL - mjmelone](https://github.com/mjmelone/KQL/tree/master) |  Michael Melone's Kusto Query library  | ![Stars](https://img.shields.io/github/stars/mjmelone/KQL?style=flat-square&labelColor=343b41) |
| [AzureSentinel - Cloud-Architekt](https://github.com/Cloud-Architekt/AzureSentinel) | Sharing my KQL queries for Azure Sentinel | ![Stars](https://img.shields.io/github/stars/Cloud-Architekt/AzureSentinel?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-Detection-Rules - alexverboon](https://github.com/alexverboon/Hunting-Queries-Detection-Rules) | KQL Queries. Microsoft 365 Defender, Microsoft Sentinel | ![Stars](https://img.shields.io/github/stars/alexverboon/Hunting-Queries-Detection-Rules?style=flat-square&labelColor=343b41) |
| [KQL Security Queries - Shivammalaviya](https://gist.github.com/Shivammalaviya) | KQL Security Queries | ![Stars](https://img.shields.io/badge/Gist-No%20Stars-lightgrey?style=flat-square&labelColor=343b41) |
| [Invictus-training - KQL-QueryPack - invictus-ir](https://github.com/invictus-ir/Invictus-training/tree/main/KQL-QueryPack) | Invictus: Cloud Incident Response Query Pack | ![Stars](https://img.shields.io/github/stars/invictus-ir/Invictus-training?style=flat-square&labelColor=343b41) |
| [DefenderATPQueries - 0xAnalyst](https://github.com/0xAnalyst/DefenderATPQueries) | Hunting Queries for Defender ATP | ![Stars](https://img.shields.io/github/stars/0xAnalyst/DefenderATPQueries?style=flat-square&labelColor=343b41) |
| [LearningKijo/KQL](https://github.com/LearningKijo/KQL) | Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. | ![Stars](https://img.shields.io/github/stars/LearningKijo/KQL?style=flat-square&labelColor=343b41) |
| [ awesomekql  - awesomekql ](https://github.com/cylaris/awesomekql) | Microsoft Sentinel, Defender for Endpoint - KQL Detection Packs | ![Stars](https://img.shields.io/github/stars/cylaris/awesomekql?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-Detection-Rules - KustoKing](https://github.com/KustoKing/Hunting-Queries-Detection-Rules) | KQL Detections for Microsoft Sentinel and Microsoft 365 Defender | ![Stars](https://img.shields.io/github/stars/KustoKing/Hunting-Queries-Detection-Rules?style=flat-square&labelColor=343b41)
| [KQL- mr-r3b00t](https://github.com/mr-r3b00t/KQL) | This is for my crappy (but hopefully useful) MDE and Sentinel KQL queries! #KQLThePlanet  | ![Stars](https://img.shields.io/github/stars/mr-r3b00t/KQL?style=flat-square&labelColor=343b41)
| [MustLearnKQL - rod-trent](https://github.com/rod-trent/MustLearnKQL) | Code included as part of the MustLearnKQL blog series | ![Stars](https://img.shields.io/github/stars/rod-trent/MustLearnKQL?style=flat-square&labelColor=343b41) |
| [kql-for-dfir - reprise99](https://github.com/reprise99/kql-for-dfir) | A guide to using Azure Data Explorer and KQL for DFIR | ![Stars](https://img.shields.io/github/stars/reprise99/kql-for-dfir?style=flat-square&labelColor=343b41) |
| [Invictus-training - Invictus](https://github.com/invictus-ir/Invictus-training/tree/main/KQL-QueryPack) | Cloud Incident Response Query Pack | ![Stars](https://img.shields.io/github/stars/invictus-ir/Invictus-training?style=flat-square&labelColor=343b41) |
| [MDATP - JesseEsquivel](https://github.com/JesseEsquivel/MDATP/tree/master/AdvancedHunting) | Microsoft Defender Advanced Threat Protection | ![Stars](https://img.shields.io/github/stars/JesseEsquivel/MDATP?style=flat-square&labelColor=343b41) |
| [DefenderATPQueries - 0xAnalyst](https://github.com/0xAnalyst/DefenderATPQueries) | Hunting Queries for Defender ATP | ![Stars](https://img.shields.io/github/stars/0xAnalyst/DefenderATPQueries?style=flat-square&labelColor=343b41) |
| [KQL - LearningKijo](https://github.com/LearningKijo/KQL) | Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. | ![Stars](https://img.shields.io/github/stars/LearningKijo/KQL?style=flat-square&labelColor=343b41) |
| [KQL - KostasKoutrou](https://github.com/KostasKoutrou/KQL/tree/main) | KQL Queries for Advanced Hunting / Log Analytics | ![Stars](https://img.shields.io/github/stars/KostasKoutrou/KQL?style=flat-square&labelColor=343b41) |
| [Sentinel-queries - samilamppu](https://github.com/samilamppu/Sentinel-queries) | Sentinel-queries | ![Stars](https://img.shields.io/github/stars/samilamppu/Sentinel-queries?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-Detection-Rules - SlimKQL](https://github.com/SlimKQL/Hunting-Queries-Detection-Rules) | KQL Queries. Microsoft Defender, Microsoft Sentinel | ![Stars](https://img.shields.io/github/stars/SlimKQL/Hunting-Queries-Detection-Rules?style=flat-square&labelColor=343b41) |
| [KustQueryLanguage_kql - m4nbat](https://github.com/m4nbat/KustQueryLanguage_kql) | Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting | ![Stars](https://img.shields.io/github/stars/m4nbat/KustQueryLanguage_kql?style=flat-square&labelColor=343b41) |
| [DE-TH-Aura - SecurityAura](https://github.com/SecurityAura/DE-TH-Aura/tree/main) | Repository where I hold random detection and threat hunting queries that I come up with based on different sources of information (or even inspiration). | ![Stars](https://img.shields.io/github/stars/SecurityAura/DE-TH-Aura?style=flat-square&labelColor=343b41) |
| [Threat-Hunting-KQL-Queries - Sergio-Albea-Git](https://github.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries) | Threat-Hunting-KQL-Queries | ![Stars](https://img.shields.io/github/stars/Sergio-Albea-Git/Threat-Hunting-KQL-Queries?style=flat-square&labelColor=343b41) |
| [Kustonomicon - KernelCaleb](https://github.com/KernelCaleb/Kustonomicon) | The Kustonomicon is your reference companion for navigating the depths of Kusto Query Language (KQL). | ![Stars](https://img.shields.io/github/stars/KernelCaleb/Kustonomicon?style=flat-square&labelColor=343b41) |
| [KQL_Intune - ugurkocde](https://github.com/ugurkocde/KQL_Intune) | KQL_Intune | ![Stars](https://img.shields.io/github/stars/ugurkocde/KQL_Intune?style=flat-square&labelColor=343b41) |
| [Azure-SecOps - AttacktheSOC](https://github.com/AttacktheSOC/Azure-SecOps/tree/main/KQL) | Collection of different Azure/Entra focused solutions (Deployable templates, Function Apps, etc) | ![Stars](https://img.shields.io/github/stars/AttacktheSOC/Azure-SecOps?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender - SubashGhimire ](https://github.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender) | KQL Sentinel and Defender Detection and Hunting Queries. |![Stars](https://img.shields.io/github/stars/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender?style=flat-square&labelColor=343b41) |
| [Hunting-Queries-Detection-Rules - HybridBrothers ](https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules) | The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior |![Stars](https://img.shields.io/github/stars/HybridBrothers/Hunting-Queries-Detection-Rules?style=flat-square&labelColor=343b41) |
| [KQLAdvancedHunting - benscha ](https://github.com/benscha/KQLAdvancedHunting) | The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior |![Stars](https://img.shields.io/github/stars/benscha/KQLAdvancedHunting?style=flat-square&labelColor=343b41) |
| [Defender-for-endpoint - v3rtho ](https://github.com/v3rtho/Defender-for-endpoint/tree/main/KQL%20-%20configuration%20) | Guidance scripts related to Defender For Endpoint: installation, prereq check, configuration etc |![Stars](https://img.shields.io/github/stars/v3rtho/Defender-for-endpoint?style=flat-square&labelColor=343b41) |
| [Microsoft-Exposure-management - v3rtho ](https://github.com/v3rtho/Microsoft-Exposure-management-) | The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior |![Stars](https://img.shields.io/github/stars/v3rtho/Microsoft-Exposure-management-?style=flat-square&labelColor=343b41) |
| [100_days_of_kql_2026 - m4nbat ](https://github.com/m4nbat/100_days_of_kql_2026) | A repo to hold KQL queries as part of my 100 days of KQL effort. |![Stars](https://img.shields.io/github/stars/m4nbat/100_days_of_kql_2026?style=flat-square&labelColor=343b41) |
| [100_days_of_kql - JoshuaJapes ](https://github.com/JoshuaJapes/100_days_of_kql) |  |![Stars](https://img.shields.io/github/stars/JoshuaJapes/100_days_of_kql?style=flat-square&labelColor=343b41) |
| [100-Days-of-KQL - Jiayang-Lai ](https://github.com/Jiayang-Lai/100-Days-of-KQL) |  |![Stars](https://img.shields.io/github/stars/Jiayang-Lai/100-Days-of-KQL?style=flat-square&labelColor=343b41) |
| [100-Days-of-KQL - faslam1994 ](https://github.com/faslam1994/100_days_of_kql) | Bridewell Challenge of creating KQL queries over 100 days. |![Stars](https://img.shields.io/github/stars/faslam1994/100_days_of_kql?style=flat-square&labelColor=343b41) |
| [Sentinel-And-DefenderXDR - ThomasKur ](https://github.com/ThomasKur/Sentinel-And-DefenderXDR) | Content to be used with Microsoft Sentinel.|![Stars](https://img.shields.io/github/stars/ThomasKur/Sentinel-And-DefenderXDR?style=flat-square&labelColor=343b41) |
| [th - jkb-s](https://github.com/jkb-s/th) | Threat hunting |![Stars](https://img.shields.io/github.com/jkb-s/th?style=flat-square&labelColor=343b41) |

About this query

Explanation

This list is a collection of GitHub repositories focused on Kusto Query Language (KQL), which is used for querying data in Microsoft Sentinel, Microsoft Defender, and other Azure services. Each repository contains various resources such as KQL queries, detection rules, and analytics tools aimed at threat hunting, security analytics, and incident response. The repositories are contributed by different authors and organizations, providing a wide range of tools and examples for users interested in enhancing their security operations using KQL. The list also includes the number of stars each repository has received on GitHub, indicating their popularity or usefulness within the community.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 13, 2026

Tables

Azure Sentinel Repository - Azure

Keywords

AzureSentinelSecurityAnalyticsThreatHuntingDetectionMicrosoftDefenderEndpointAdvancedLog

Operators

`|``

Actions

GitHub