Being able to fully leverage the data you have means you can control all activities that occurred across all Defender's workloads. However, starting from scratch can be challenging for some, and sample queries may not always suffice. Therefore, in this repository on KQL-XDR-Hunting, I will be sharing 'out-of-the-box' KQL queries based on feedback, security blogs, and new cyber attacks to assist you in your threat hunting.
Category | Products |
---|---|
Endpoint | - Microsoft Defender for Endpoint - Microsoft Defender Antivirus |
- Exchange Online Protection - Microsoft Defender for Office 365 |
|
Identity | - Microsoft Entra ID (Azure AD) - Microsoft Defender for Identity |
App & Data | TBD |
Detection | TBD |
Note
If you would like to change some lines, you can even change them by yourself and adjust them depending on what data you want to take out.
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.