├── 'Sort' function result comparison.kql ├── 30-60-90 Day CommonSecurityLog Ingest Trends.kql ├── 30-60-90 Day Ingest Trends.kql ├── 90 Day Billable Ingest Volume.kql ├── Average Daily Ingest Volume.kql ├── Cost of EventID by Computer.kql ├── Cost of EventID.kql ├── Cost of Syslog Events by Severity.kql ├── Cost of a Table.kql ├── Cost_of_workstations_logging_direct_to_Sentinel.kql ├── Day-by-Day-Change.kql ├── Detect low-and-slow password spray patterns.kql ├── Detect “wide, low-volume” password sprays.kql ├── Efficiency Exercise.kql ├── EventID by _BilledSize.kql ├── External eMail Accounts Synced to Outlook used to Send Attachments.kql ├── FIle_Activity_Audit.kql ├── FailedLoginAttempts.kql ├── Failed_Login_Attempts_Analytics_Rule.kql ├── GB per Table.kql ├── How Many Times Does This EventID fire from This Machine on This Day.kql ├── How loud is a Table?.kql ├── Log_Sources_with_Greatest_Delta.kql ├── Mitre ATT&CK Tactics Observed.kql ├── Mitre ATT&CK Techniques Observed.kql ├── QBRs ├── Alert_Trends.kql ├── Data Sources with Biggest Delta in Log Volume.kql └── ReportQueries.kql ├── README.md ├── Top 10 Alerts.kql ├── Top 10 CommonSecurityLogs by Severity Level with Cost (Enhanced).kql ├── Top 10 Log Sources with Cost (Enhanced).kql ├── Top 10 Security Events with Cost (Enhanced).kql ├── Top Blocked Malware Email Events.kql ├── Top Blocked Phishing Events.kql ├── Top Phishing Domains.kql ├── Top Phishing Targets.kql ├── Top_10_Billable_Log_Sources.kql ├── Top_10_Billable_MDE_Tables.kql ├── Top_10_EventIDs_Windows_SecurityEvents.kql ├── Top_10_Tables (exclude MDE).kql ├── Top_10_WindowsEvent_EventIDs.kql ├── What's this user doing?.kql ├── Which Accounts are Throwing this EventID?.kql ├── Which Devices are Internet Facing?.kql ├── Which Devices are Throwing this EventID?.kql ├── Which Devices or Software are EoL?.kql ├── Which EventID fires the most in a month?.kql ├── Who's Activating Roles via PIM?.kql ├── Who's Clicking on Junk Mail?.kql ├── Who's Logging In and When?.kql ├── Who_Deleted_an_AD_User?.kql ├── pihole ├── Blocked_Queries_Over_Time.kql ├── DNS_Query_Volume.kql ├── Most_Queried_Domains.kql ├── New_or_Rarely_Seen_Domains.kql ├── Query_Type_Distribution.kql ├── Success_vs_Failure.kql ├── Top Blocked Domains.kql ├── Top_Clients.kql └── pihole_Usage.kql └── test.kql /'Sort' function result comparison.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/'Sort' function result comparison.kql -------------------------------------------------------------------------------- /30-60-90 Day CommonSecurityLog Ingest Trends.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/30-60-90 Day CommonSecurityLog Ingest Trends.kql -------------------------------------------------------------------------------- /30-60-90 Day Ingest Trends.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/30-60-90 Day Ingest Trends.kql -------------------------------------------------------------------------------- /90 Day Billable Ingest Volume.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/90 Day Billable Ingest Volume.kql -------------------------------------------------------------------------------- /Average Daily Ingest Volume.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Average Daily Ingest Volume.kql -------------------------------------------------------------------------------- /Cost of EventID by Computer.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Cost of EventID by Computer.kql -------------------------------------------------------------------------------- /Cost of EventID.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Cost of EventID.kql -------------------------------------------------------------------------------- /Cost of Syslog Events by Severity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Cost of Syslog Events by Severity.kql -------------------------------------------------------------------------------- /Cost of a Table.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Cost of a Table.kql -------------------------------------------------------------------------------- /Cost_of_workstations_logging_direct_to_Sentinel.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Cost_of_workstations_logging_direct_to_Sentinel.kql -------------------------------------------------------------------------------- /Day-by-Day-Change.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Day-by-Day-Change.kql -------------------------------------------------------------------------------- /Detect low-and-slow password spray patterns.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Detect low-and-slow password spray patterns.kql -------------------------------------------------------------------------------- /Detect “wide, low-volume” password sprays.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Detect “wide, low-volume” password sprays.kql -------------------------------------------------------------------------------- /Efficiency Exercise.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Efficiency Exercise.kql -------------------------------------------------------------------------------- /EventID by _BilledSize.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/EventID by _BilledSize.kql -------------------------------------------------------------------------------- /External eMail Accounts Synced to Outlook used to Send Attachments.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/External eMail Accounts Synced to Outlook used to Send Attachments.kql -------------------------------------------------------------------------------- /FIle_Activity_Audit.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/FIle_Activity_Audit.kql -------------------------------------------------------------------------------- /FailedLoginAttempts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/FailedLoginAttempts.kql -------------------------------------------------------------------------------- /Failed_Login_Attempts_Analytics_Rule.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Failed_Login_Attempts_Analytics_Rule.kql -------------------------------------------------------------------------------- /GB per Table.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/GB per Table.kql -------------------------------------------------------------------------------- /How Many Times Does This EventID fire from This Machine on This Day.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/How Many Times Does This EventID fire from This Machine on This Day.kql -------------------------------------------------------------------------------- /How loud is a Table?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/How loud is a Table?.kql -------------------------------------------------------------------------------- /Log_Sources_with_Greatest_Delta.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Log_Sources_with_Greatest_Delta.kql -------------------------------------------------------------------------------- /Mitre ATT&CK Tactics Observed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Mitre ATT&CK Tactics Observed.kql -------------------------------------------------------------------------------- /Mitre ATT&CK Techniques Observed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Mitre ATT&CK Techniques Observed.kql -------------------------------------------------------------------------------- /QBRs/Alert_Trends.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/QBRs/Alert_Trends.kql -------------------------------------------------------------------------------- /QBRs/Data Sources with Biggest Delta in Log Volume.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/QBRs/Data Sources with Biggest Delta in Log Volume.kql -------------------------------------------------------------------------------- /QBRs/ReportQueries.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/QBRs/ReportQueries.kql -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/README.md -------------------------------------------------------------------------------- /Top 10 Alerts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top 10 Alerts.kql -------------------------------------------------------------------------------- /Top 10 CommonSecurityLogs by Severity Level with Cost (Enhanced).kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top 10 CommonSecurityLogs by Severity Level with Cost (Enhanced).kql -------------------------------------------------------------------------------- /Top 10 Log Sources with Cost (Enhanced).kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top 10 Log Sources with Cost (Enhanced).kql -------------------------------------------------------------------------------- /Top 10 Security Events with Cost (Enhanced).kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top 10 Security Events with Cost (Enhanced).kql -------------------------------------------------------------------------------- /Top Blocked Malware Email Events.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top Blocked Malware Email Events.kql -------------------------------------------------------------------------------- /Top Blocked Phishing Events.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top Blocked Phishing Events.kql -------------------------------------------------------------------------------- /Top Phishing Domains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top Phishing Domains.kql -------------------------------------------------------------------------------- /Top Phishing Targets.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top Phishing Targets.kql -------------------------------------------------------------------------------- /Top_10_Billable_Log_Sources.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top_10_Billable_Log_Sources.kql -------------------------------------------------------------------------------- /Top_10_Billable_MDE_Tables.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top_10_Billable_MDE_Tables.kql -------------------------------------------------------------------------------- /Top_10_EventIDs_Windows_SecurityEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top_10_EventIDs_Windows_SecurityEvents.kql -------------------------------------------------------------------------------- /Top_10_Tables (exclude MDE).kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top_10_Tables (exclude MDE).kql -------------------------------------------------------------------------------- /Top_10_WindowsEvent_EventIDs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Top_10_WindowsEvent_EventIDs.kql -------------------------------------------------------------------------------- /What's this user doing?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/What's this user doing?.kql -------------------------------------------------------------------------------- /Which Accounts are Throwing this EventID?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Which Accounts are Throwing this EventID?.kql -------------------------------------------------------------------------------- /Which Devices are Internet Facing?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Which Devices are Internet Facing?.kql -------------------------------------------------------------------------------- /Which Devices are Throwing this EventID?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Which Devices are Throwing this EventID?.kql -------------------------------------------------------------------------------- /Which Devices or Software are EoL?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Which Devices or Software are EoL?.kql -------------------------------------------------------------------------------- /Which EventID fires the most in a month?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Which EventID fires the most in a month?.kql -------------------------------------------------------------------------------- /Who's Activating Roles via PIM?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Who's Activating Roles via PIM?.kql -------------------------------------------------------------------------------- /Who's Clicking on Junk Mail?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Who's Clicking on Junk Mail?.kql -------------------------------------------------------------------------------- /Who's Logging In and When?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Who's Logging In and When?.kql -------------------------------------------------------------------------------- /Who_Deleted_an_AD_User?.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/Who_Deleted_an_AD_User?.kql -------------------------------------------------------------------------------- /pihole/Blocked_Queries_Over_Time.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Blocked_Queries_Over_Time.kql -------------------------------------------------------------------------------- /pihole/DNS_Query_Volume.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/DNS_Query_Volume.kql -------------------------------------------------------------------------------- /pihole/Most_Queried_Domains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Most_Queried_Domains.kql -------------------------------------------------------------------------------- /pihole/New_or_Rarely_Seen_Domains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/New_or_Rarely_Seen_Domains.kql -------------------------------------------------------------------------------- /pihole/Query_Type_Distribution.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Query_Type_Distribution.kql -------------------------------------------------------------------------------- /pihole/Success_vs_Failure.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Success_vs_Failure.kql -------------------------------------------------------------------------------- /pihole/Top Blocked Domains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Top Blocked Domains.kql -------------------------------------------------------------------------------- /pihole/Top_Clients.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/Top_Clients.kql -------------------------------------------------------------------------------- /pihole/pihole_Usage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/pihole/pihole_Usage.kql -------------------------------------------------------------------------------- /test.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EEN421/KQL-Queries/HEAD/test.kql --------------------------------------------------------------------------------