├── BiosInfo ├── BIOS Details.kql └── Old BIOS Versions.kql ├── CPU ├── Assess CPU Physical Characteristics.kql ├── Detect CPU Overclocking.kql ├── Identify CPU Configuration.kql └── Monitor CPU Performance and Health.kql ├── Certificate ├── Certificates That Will Expire in the Next 90 days.kql ├── Intune MDM Device Certificate.kql ├── List All CA Certificates.kql ├── Show All Certificates That Are Not Stored in Localmachine.kql ├── Show All Insecure Certificates.kql ├── Show All Self-Signed Certificates.kql ├── Show Expired Certificates on Device.kql └── Show Valid Certificates on Device.kql ├── DiskDrive └── Find Disk Information.kql ├── FileInfo ├── Monitor Hosts File.kql └── Search Recently Created Files at a Location.kql ├── LICENSE ├── LocalGroup └── Show all Local Groups on Device.kql ├── LogicalDrive └── Show All Local Drives.kql ├── Multi-Device-Query ├── Find Devices with BitLocker Not Enabled.kql ├── Find Devices with Multiple Physical Disks.kql ├── Identify CPU Architecture Distribution.kql ├── Identify Devices with Outdated BIOS.kql └── System Age and Update Status Analysis.kql ├── Process ├── Analyze Start Times and Run Durations of Processes.kql ├── Command Lines Used to Start Processes.kql ├── Detect Processes That Are Reading or Writing Significantly to Disk.kql ├── Determine Which Users Are Running Which Processes.kql ├── Find All System Processes Related to Defender, Sense or Security.kql ├── Find Processes With High Memory Usage.kql ├── Find Processes With Unusually High Thread or Handle Counts.kql ├── Flag Processes With Disproportionately Large Virtual Memory Usage.kql ├── Identify Processes That Are Heavily Using Disk Space.kql ├── Identify Top Disk IO Processes.kql ├── Identify Unexpected or Unknown Processes Running From Unusual Paths.kql ├── Impact of Processes Over Time by Looking at How Long They Run.kql ├── List All Process That Running Under NT Authority.kql ├── Most frequently running Processes.kql ├── Track the Usage of Specific Applications and How Often They Are Started.kql └── Track the Working Directories of Processes.kql ├── README.md ├── Tpm └── Check if TPM 2.0 is available.kql ├── WIndowsRegistry ├── Identify Programs Set to Auto-Run at Startup.kql └── Lookup Registry Keys Wildcard.kql ├── WindowsAppCrashEvent ├── List of Applications Crashes.kql └── Windows App Crash Events Grouped by the App and Its Version.kql ├── WindowsDriver ├── Find Drivers That Don’t Have Associated Inf Files.kql ├── Group Drivers by Their Provider Name.kql ├── Number of Signed and Unsigned Drivers.kql └── Show All Drivers That Are Not Signed.kql ├── WindowsEvent ├── Assigned Primary Tokens.kql ├── Blue Screen of Death.kql ├── Check if Device Restart Is Required.kql ├── Event Log was Cleared.kql ├── Failed User Account Login.kql ├── Number of Events per Provider.kql ├── Overview Event Level Types for Windows Applications Events.kql ├── Query Recent Windows System Event Logs.kql ├── Service Start Failure.kql ├── Show All Application Events.kql ├── Show Application Crashes.kql ├── Show Application Hangs.kql ├── Show Failed Licence Activations.kql ├── Show Latest Application Installations.kql ├── Show Services That Have Started.kql ├── Show Services That Have Stopped.kql ├── Successful User Account Login.kql ├── System Time Changed.kql ├── User Added to Privileged Group.kql ├── User Right Assigned.kql └── Windows Update Installations.kql ├── WindowsQfe └── Windows Quick Fix Engineering Hot Fixes.kql └── media └── howto.png /BiosInfo/BIOS Details.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Show all BIOS related informations. 2 | BiosInfo 3 | | project Manufacturer, ReleaseDateTime, SerialNumber, SmBiosVersion -------------------------------------------------------------------------------- /BiosInfo/Old BIOS Versions.kql: -------------------------------------------------------------------------------- 1 | // Identify BIOS versions older than 1 year 2 | BiosInfo 3 | | where ReleaseDateTime < ago(365d) 4 | | project Manufacturer, SmBiosVersion, ReleaseDateTime -------------------------------------------------------------------------------- /CPU/Assess CPU Physical Characteristics.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Gather information on the processor type, socket designation, and address width. This could be relevant for hardware upgrades or compatibility checks. 2 | Cpu 3 | | project ProcessorType, SocketDesignation, AddressWidth -------------------------------------------------------------------------------- /CPU/Detect CPU Overclocking.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Compare the current clock speed against the maximum clock speed to identify if the CPU is being overclocked. 2 | Cpu 3 | | project ProcessorId, CurrentClockSpeed, MaxClockSpeed, Overclocked = iif(CurrentClockSpeed > MaxClockSpeed, 'Yes', 'No') -------------------------------------------------------------------------------- /CPU/Identify CPU Configuration.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Extract information about the CPU's architecture, core count, and logical processor count. This can be useful for understanding the computing capabilities of the device. 2 | Cpu 3 | | project Architecture, CoreCount, LogicalProcessorCount -------------------------------------------------------------------------------- /CPU/Monitor CPU Performance and Health.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Query to find the current clock speed, maximum clock speed, and status of the CPU. This can help in understanding if the CPU is being throttled or if it's operating normally. 2 | Cpu 3 | | project CurrentClockSpeed, MaxClockSpeed, CpuStatus -------------------------------------------------------------------------------- /Certificate/Certificates That Will Expire in the Next 90 days.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Generating a list of expiring SSL certificates for proactive renewal within the next 90 days. 2 | Certificate 3 | | project SubjectName, ValidFromDateTime, ValidToDateTime, CommonName 4 | | where ValidToDateTime > now() and ValidToDateTime < now() + 90d -------------------------------------------------------------------------------- /Certificate/Intune MDM Device Certificate.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Managing and monitoring all Intune related certificates. 2 | Certificate 3 | | where CommonName contains 'Intune' -------------------------------------------------------------------------------- /Certificate/List All CA Certificates.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and extracting information on certificate authorities. 2 | Certificate 3 | | where IsCa == true 4 | | project IsCa, CommonName, SubjectName -------------------------------------------------------------------------------- /Certificate/Show All Certificates That Are Not Stored in Localmachine.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring and ensuring the security of SSL certificates across different store locations by tracking their common and subject names. 2 | Certificate 3 | | project StoreLocation, CommonName, SubjectName -------------------------------------------------------------------------------- /Certificate/Show All Insecure Certificates.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying outdated or potentially insecure digital certificates that use SHA-1 or MD5 hashing algorithms for a cybersecurity audit. 2 | Certificate 3 | | where SigningAlgorithm contains 'sha1' or SigningAlgorithm contains 'md5' 4 | | project SigningAlgorithm, SubjectName, CommonName, SelfSigned -------------------------------------------------------------------------------- /Certificate/Show All Self-Signed Certificates.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying self-signed certificates in a network to assess security risks. 2 | Certificate 3 | | where SelfSigned == true 4 | | project SubjectName, CommonName, SelfSigned -------------------------------------------------------------------------------- /Certificate/Show Expired Certificates on Device.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying expired certificates to prevent security vulnerabilities and ensure continuous encrypted communication. 2 | Certificate 3 | | where ValidToDateTime < now() 4 | | project ValidToDateTime, SubjectName, CommonName -------------------------------------------------------------------------------- /Certificate/Show Valid Certificates on Device.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and monitoring active SSL/TLS certificates to ensure website security and trustworthiness. 2 | Certificate 3 | | where ValidToDateTime > now() 4 | | project ValidToDateTime, SubjectName, CommonName -------------------------------------------------------------------------------- /DiskDrive/Find Disk Information.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Show all informations about the physical disks 2 | DiskDrive -------------------------------------------------------------------------------- /FileInfo/Monitor Hosts File.kql: -------------------------------------------------------------------------------- 1 | // Use Case: The hosts file located at C:\Windows\System32\drivers\etc\hosts is utilized for DNS resolution. Alterations made to this file have the capability to reroute network traffic or prevent software updates from occurring. 2 | FileInfo('c:\windows\system32\drivers\etc\hosts') 3 | | project Path, FileName, SizeBytes, LastModifiedDateTime, Attributes -------------------------------------------------------------------------------- /FileInfo/Search Recently Created Files at a Location.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Search recently created files at a location 2 | FileInfo('C:\Windows\*') 3 | | order by CreatedDateTime desc -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Ugur Koc | Microsoft MVP 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /LocalGroup/Show all Local Groups on Device.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Show all locally available User Groups including Privileged Groups 2 | LocalGroup -------------------------------------------------------------------------------- /LogicalDrive/Show All Local Drives.kql: -------------------------------------------------------------------------------- 1 | // Use Case: List all local drives on this Windows PC 2 | LogicalDrive -------------------------------------------------------------------------------- /Multi-Device-Query/Find Devices with BitLocker Not Enabled.kql: -------------------------------------------------------------------------------- 1 | // This query identifies devices where BitLocker is not enabled on the C: drive. 2 | EncryptableVolume 3 | | where WindowsDriveLetter == "C:" and ProtectionStatus != "PROTECTED" 4 | | project Device, WindowsDriveLetter, ProtectionStatus, EncryptionMethod, EncryptionPercentage -------------------------------------------------------------------------------- /Multi-Device-Query/Find Devices with Multiple Physical Disks.kql: -------------------------------------------------------------------------------- 1 | // This query identifies devices that have more than one physical disk. 2 | DiskDrive 3 | | summarize DiskCount=count() by Device 4 | | where DiskCount > 1 -------------------------------------------------------------------------------- /Multi-Device-Query/Identify CPU Architecture Distribution.kql: -------------------------------------------------------------------------------- 1 | // This query summarizes the distribution of CPU architectures across devices. 2 | Cpu 3 | | summarize DeviceCount=count() by Architecture, Manufacturer, Model -------------------------------------------------------------------------------- /Multi-Device-Query/Identify Devices with Outdated BIOS.kql: -------------------------------------------------------------------------------- 1 | // This query identifies devices with a BIOS release date older than 1 year. 2 | BiosInfo 3 | | where ReleaseDateTime < ago(365d) 4 | | project Device, Manufacturer, SmBiosVersion, ReleaseDateTime -------------------------------------------------------------------------------- /Multi-Device-Query/System Age and Update Status Analysis.kql: -------------------------------------------------------------------------------- 1 | // This query identifies devices with an OS installation older than 3 years and calculates the number of days since the last patch. 2 | OsVersion 3 | | join ( 4 | WindowsQfe 5 | | summarize LastPatchDate = max(InstalledDate) by Device 6 | ) on Device 7 | | where InstallDateTime < ago(1095d) 8 | | project Device, OsName, InstallDateTime, LastPatchDate, 9 | DaysSinceLastPatch = datetime_diff('day', now(), LastPatchDate) -------------------------------------------------------------------------------- /Process/Analyze Start Times and Run Durations of Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and analyzing the processes within a system that have experienced the longest durations, helping prioritize optimization efforts. 2 | Process 3 | | project ProcessName, StartDateTime, ElapsedTimeInMinutes = ElapsedTimeMilliseconds / 60000, ElapsedTimeMilliseconds 4 | | where ElapsedTimeMilliseconds > 0 // Ensures we focus on processes that have started and have a measurable duration 5 | | order by ElapsedTimeInMinutes desc // Orders the results to highlight processes with the longest durations first -------------------------------------------------------------------------------- /Process/Command Lines Used to Start Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring and analyzing the execution of processes on a computer to identify and investigate potential security threats or system performance issues. 2 | Process 3 | | project ProcessName, CommandLine, StartDateTime 4 | | where isnotnull(CommandLine) and CommandLine != '' // Filter out empty or null command lines 5 | | order by ProcessName, StartDateTime 6 | -------------------------------------------------------------------------------- /Process/Detect Processes That Are Reading or Writing Significantly to Disk.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring and identifying high disk I/O activity for processes exceeding 10 MB in either read or write operations to optimize resource usage. 2 | Process 3 | | where DiskBytesRead > 10000000 or DiskBytesWritten > 10000000 4 | | project ProcessId, ProcessName, Path, DiskBytesReadMB = DiskBytesRead / 1048576, DiskBytesWrittenMB = DiskBytesWritten / 1048576 5 | | order by DiskBytesWrittenMB desc 6 | -------------------------------------------------------------------------------- /Process/Determine Which Users Are Running Which Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and analyzing unique processes executed by Windows user accounts while sorting the results by user and process name for security or auditing purposes. 2 | Process 3 | | project WindowsUserAccount, ProcessName, ProcessId, CommandLine 4 | | distinct WindowsUserAccount, ProcessName, ProcessId, CommandLine 5 | | order by WindowsUserAccount, ProcessName -------------------------------------------------------------------------------- /Process/Find All System Processes Related to Defender, Sense or Security.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying security-related processes in a system log for further analysis or monitoring. 2 | Process 3 | | where ProcessName contains 'Defender' or ProcessName contains 'Sense' or ProcessName contains 'Security' -------------------------------------------------------------------------------- /Process/Find Processes With High Memory Usage.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Analyze and identify processes by their average, maximum, and minimum memory usage in order to pinpoint memory-intensive applications for optimization or troubleshooting purposes. 2 | Process 3 | | summarize AvgMemoryUsageBytes=avg(WorkingSetSizeBytes), MaxMemoryUsageBytes=max(WorkingSetSizeBytes), MinMemoryUsageBytes=min(WorkingSetSizeBytes) by ProcessName 4 | | order by AvgMemoryUsageBytes desc 5 | | project ProcessName, AvgMemoryUsageBytes, MaxMemoryUsageBytes, MinMemoryUsageBytes -------------------------------------------------------------------------------- /Process/Find Processes With Unusually High Thread or Handle Counts.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying processes with unusually high thread or handle counts for performance analysis and optimization. 2 | Process 3 | | where ThreadCount > 100 or HandleCount > 1000 4 | | project ProcessName, ProcessId, ThreadCount, HandleCount, Path 5 | | order by ThreadCount desc, HandleCount desc 6 | -------------------------------------------------------------------------------- /Process/Flag Processes With Disproportionately Large Virtual Memory Usage.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying processes with disproportionately large virtual memory usage for system resource optimization. 2 | Process 3 | | where TotalSizeBytes > 10 * WorkingSetSizeBytes 4 | | project ProcessName, ProcessId, WorkingSetSizeBytes, TotalSizeBytes 5 | | order by TotalSizeBytes desc 6 | -------------------------------------------------------------------------------- /Process/Identify Processes That Are Heavily Using Disk Space.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and prioritizing processes with high on-disk working set size for system resource optimization. 2 | Process 3 | | where OnDisk == true 4 | | project ProcessName, Path, WorkingSetSizeMB = WorkingSetSizeBytes / (1024 * 1024), OnDisk 5 | | order by WorkingSetSizeMB desc -------------------------------------------------------------------------------- /Process/Identify Top Disk IO Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and prioritizing processes with high on-disk working set size for system resource optimization. 2 | Process 3 | | where DiskBytesRead > 50000000 or DiskBytesWritten > 50000000 4 | | project ProcessName, ProcessId, DiskBytesRead, DiskBytesWritten 5 | | order by DiskBytesRead desc, DiskBytesWritten desc 6 | | take 5 7 | -------------------------------------------------------------------------------- /Process/Identify Unexpected or Unknown Processes Running From Unusual Paths.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Filtering and sorting processes to identify and analyze non-system processes running on a Windows computer. 2 | Process 3 | | where not(Path contains 'C:\\Windows\\' 4 | or Path contains 'C:\\Program Files\\' 5 | or Path contains 'C:\\Program Files (x86)\\' 6 | or Path contains 'C:\\Users\\') 7 | | project ProcessId, ProcessName, Path 8 | | order by ProcessName -------------------------------------------------------------------------------- /Process/Impact of Processes Over Time by Looking at How Long They Run.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying long-running processes with high resource utilization on a system for performance analysis and optimization. 2 | Process 3 | | project ProcessName, StartDateTime, ElapsedTimeInMinutes = ElapsedTimeMilliseconds / 60000, ThreadCount, HandleCount 4 | | where ElapsedTimeInMinutes > 0 // Ensuring we only look at processes that have a reported elapsed time 5 | | order by ElapsedTimeInMinutes desc, ThreadCount desc, HandleCount desc 6 | -------------------------------------------------------------------------------- /Process/List All Process That Running Under NT Authority.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying processes initiated by system accounts for security auditing or anomaly detection. 2 | Process 3 | | where WindowsUserAccount startswith 'NT AUTHORITY' 4 | | project ProcessId, ProcessName, Path, CommandLine, WindowsUserAccount, StartDateTime 5 | -------------------------------------------------------------------------------- /Process/Most frequently running Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying the most frequently running processes on a system for performance analysis or optimization. 2 | Process 3 | | summarize Count=count() by ProcessName 4 | | order by Count 5 | -------------------------------------------------------------------------------- /Process/Track the Usage of Specific Applications and How Often They Are Started.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring and identifying the most frequently executed processes on a system for a given day. 2 | Process 3 | | where isnotnull(ProcessName) and isnotnull(StartDateTime) // Ensure fields are not null 4 | | summarize Count = count() by ProcessName, bin(StartDateTime, 1d) // Aggregate counts by day and ProcessName 5 | | order by Count desc 6 | | project ProcessName, Count -------------------------------------------------------------------------------- /Process/Track the Working Directories of Processes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Analyzing and auditing system processes for security or operational efficiency by listing their names, IDs, working directories, start times, and command lines in chronological order. 2 | Process 3 | | project ProcessName, ProcessId, CurrentWorkingDirectory, StartDateTime, CommandLine 4 | | where isnotnull(CurrentWorkingDirectory) and CurrentWorkingDirectory != '' // Filter out null or empty working directories 5 | | order by ProcessName, StartDateTime 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Intune Device Query - KQL Queries 2 | 3 |
4 |

5 | 6 | Twitter Follow 7 | 8 | 9 | LinkedIn 10 | 11 | License 12 |

13 |
14 | 15 | # Overview 16 | 17 | This repository contains a comprehensive collection of KQL (Kusto Query Language) queries specifically designed for Microsoft Intune Device Query. These queries are ready to use and cover various aspects of device management, monitoring, and troubleshooting. 18 | 19 | You can find more KQL Queries here -> [KQLSearch.com](https://www.KQLSearch.com) 20 | 21 | # Categories 22 | 23 | - **System Information** 24 | 25 | - BIOS Details 26 | - CPU Information 27 | - Disk Drive Details 28 | - Logical Drive Information 29 | 30 | - **Security & Certificates** 31 | 32 | - Certificate Management 33 | - Windows Security Events 34 | - Driver Signature Verification 35 | - User Access & Permissions 36 | 37 | - **Process & Performance** 38 | 39 | - Process Monitoring 40 | - Memory Usage Analysis 41 | - Disk I/O Tracking 42 | - CPU Performance 43 | 44 | - **Windows Events** 45 | 46 | - Application Crashes 47 | - System Events 48 | - Security Auditing 49 | - Service Status 50 | 51 | - **Registry & Configuration** 52 | - Startup Programs 53 | - Registry Analysis 54 | - System Configuration 55 | 56 | # What is Device Query in Intune? 57 | 58 | Device query allows you to quickly gain on-demand information about the state of your devices. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be used to respond to security threats, troubleshoot the device, or make business decisions. 59 | 60 | Details: 61 | 62 | Device Query -> [Device Query](https://learn.microsoft.com/en-us/mem/analytics/device-query) 63 | 64 | Data Platform Schema -> [Data Platform Schema](https://learn.microsoft.com/en-us/mem/analytics/data-platform-schema) 65 | 66 | # Requirements 67 | 68 | - License: 69 | - The Intune Advanced Analytics Add-on OR 70 | - Microsoft Intune Suite 71 | - The Windows Device has to be running and connected to the Internet. 72 | - To use Device query on a device, the device must be enrolled in Endpoint Analytics. 73 | - To use Device query, devices must be Intune managed and corporate owned. 74 | - For a user to use Device query, you must assign the Managed Devices - Query permission to them. 75 | 76 | # How to use the queries in Intune 77 | 78 | ![How To Image](media/howto.png) 79 | 80 | # Contributing 81 | 82 | Create a Issue or Pull Request if you want to add a new query or have a idea for one that could be useful for everyone. 83 | 84 | Feel free to fork the repository and submit pull requests. For major changes, please open an issue first to discuss what you would like to change. 85 | 86 | # License 87 | 88 | This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. 89 | 90 | # Acknowledgments 91 | 92 | - Microsoft Intune Documentation 93 | - Community Contributors 94 | - Microsoft Tech Community 95 | 96 | --- 97 | 98 | Made with ❤️ by [Ugur Koc](https://github.com/ugurkocde) 99 | -------------------------------------------------------------------------------- /Tpm/Check if TPM 2.0 is available.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Check if TPM 2.0 is available. 2 | Tpm 3 | | where SpecVersion contains '2.0' -------------------------------------------------------------------------------- /WIndowsRegistry/Identify Programs Set to Auto-Run at Startup.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying programs set to auto-run at startup for system analysis and security auditing. 2 | WindowsRegistry('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run') 3 | | project RegistryKey, ValueName, ValueType, ValueData -------------------------------------------------------------------------------- /WIndowsRegistry/Lookup Registry Keys Wildcard.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Retrieving all software-related configurations and settings from the Windows Registry for system audit or software inventory purposes. 2 | WindowsRegistry('HKEY_LOCAL_MACHINE\SOFTWARE\*') -------------------------------------------------------------------------------- /WindowsAppCrashEvent/List of Applications Crashes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring and troubleshooting application failures in Windows environments. 2 | WindowsAppCrashEvent -------------------------------------------------------------------------------- /WindowsAppCrashEvent/Windows App Crash Events Grouped by the App and Its Version.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying the most frequently crashing applications and their versions in a Windows environment for targeted troubleshooting and software updates. 2 | WindowsAppCrashEvent 3 | | summarize count() by AppName, AppVersion -------------------------------------------------------------------------------- /WindowsDriver/Find Drivers That Don’t Have Associated Inf Files.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying Windows drivers without an associated INF (Information) file in a system's database. 2 | WindowsDriver 3 | | where isnull(InfName) -------------------------------------------------------------------------------- /WindowsDriver/Group Drivers by Their Provider Name.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying the most frequently occurring driver providers in a Windows system's event logs. 2 | WindowsDriver 3 | | summarize Count=count() by ProviderName -------------------------------------------------------------------------------- /WindowsDriver/Number of Signed and Unsigned Drivers.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Monitoring the distribution of signed versus unsigned drivers in a Windows environment. 2 | WindowsDriver 3 | | summarize Count=count() by Signed -------------------------------------------------------------------------------- /WindowsDriver/Show All Drivers That Are Not Signed.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying unsigned drivers in a Windows operating system for security auditing and compliance. 2 | WindowsDriver 3 | | where Signed != true -------------------------------------------------------------------------------- /WindowsEvent/Assigned Primary Tokens.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring security events to identify potential unauthorized privilege escalations or access attempts within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where Message contains 'primary token was assigned' -------------------------------------------------------------------------------- /WindowsEvent/Blue Screen of Death.kql: -------------------------------------------------------------------------------- 1 | Use Case: IT professionals monitoring system stability by identifying recent critical system errors logged as Event ID 1001 in Windows Event Viewer within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('System', 7d) 6 | | where tostring(EventId) == '1001' -------------------------------------------------------------------------------- /WindowsEvent/Check if Device Restart Is Required.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring and alerting on systems that have pending restarts due to recent application installations or updates within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where Message == 'Machine restart is required.' -------------------------------------------------------------------------------- /WindowsEvent/Event Log was Cleared.kql: -------------------------------------------------------------------------------- 1 | Use Case: Retrieve security event logs from Windows Event Viewer for events with ID 1102, indicating the clearing of security logs, over the past 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where tostring(EventId) == '1102' -------------------------------------------------------------------------------- /WindowsEvent/Failed User Account Login.kql: -------------------------------------------------------------------------------- 1 | Use Case: Identifying failed login attempts on Windows systems within the last 7 days for security analysis and breach detection. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where tostring(EventId) == '4625' -------------------------------------------------------------------------------- /WindowsEvent/Number of Events per Provider.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring the frequency of application events over the past week to identify patterns or anomalies in software behavior by provider. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | summarize EventCount = count() by ProviderName -------------------------------------------------------------------------------- /WindowsEvent/Overview Event Level Types for Windows Applications Events.kql: -------------------------------------------------------------------------------- 1 | Author: Niklas Tinner (@NiklasTinner) 2 | 3 | Use Case: Monitoring the frequency of application-level events on Windows systems by severity level over the past hour. 4 | 5 | WindowsEvent('Application', 1h) 6 | | summarize count() by Level -------------------------------------------------------------------------------- /WindowsEvent/Query Recent Windows System Event Logs.kql: -------------------------------------------------------------------------------- 1 | Author: Niklas Tinner (@NiklasTinner) 2 | 3 | Use Case: Monitoring and analyzing recent service start events within the last hour on a Windows system for security or operational efficiency purposes. 4 | 5 | WindowsEvent('System', 1h) 6 | | where EventId == 3 // look up only event ID 3 (Service Started) 7 | | order by LoggedDateTime desc -------------------------------------------------------------------------------- /WindowsEvent/Service Start Failure.kql: -------------------------------------------------------------------------------- 1 | Use Case: Identify and analyze instances of Service Control Manager events where a service fails to start within the past 7 days on Windows systems, specifically focusing on Event ID 7000. 2 | 3 | Query: 4 | 5 | WindowsEvent('System', 7d) 6 | | where tostring( EventId) == '7000' -------------------------------------------------------------------------------- /WindowsEvent/Show All Application Events.kql: -------------------------------------------------------------------------------- 1 | Use Case: Quickly review all application-related events from the Windows Event Log that occurred within the last day to troubleshoot a reported issue. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) -------------------------------------------------------------------------------- /WindowsEvent/Show Application Crashes.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring and analyzing application crashes or errors on Windows systems over the past week. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where tostring(EventId) == '1000' -------------------------------------------------------------------------------- /WindowsEvent/Show Application Hangs.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring application hang events in Windows systems over the past 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where tostring(EventId) == '1002' -------------------------------------------------------------------------------- /WindowsEvent/Show Failed Licence Activations.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring and troubleshooting license activation errors in applications on Windows systems within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where Message contains 'License Activation' 7 | | where Level == 'ERROR' -------------------------------------------------------------------------------- /WindowsEvent/Show Latest Application Installations.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring the successful installation of applications on Windows systems over the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where Message contains 'Installation completed successfully' -------------------------------------------------------------------------------- /WindowsEvent/Show Services That Have Started.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring and alerting on service startup events within the last 7 days in Windows applications. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where Message contains 'Service started' -------------------------------------------------------------------------------- /WindowsEvent/Show Services That Have Stopped.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring and alerting on the recent shutdown of application services within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Application', 7d) 6 | | where Message contains 'Service stopped' -------------------------------------------------------------------------------- /WindowsEvent/Successful User Account Login.kql: -------------------------------------------------------------------------------- 1 | Use Case: Identifying successful logon events within the last 7 days to monitor for unauthorized access. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where tostring(EventId) == '4624' -------------------------------------------------------------------------------- /WindowsEvent/System Time Changed.kql: -------------------------------------------------------------------------------- 1 | Use Case: Identifying instances of system time changes for security auditing within the last 7 days. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where tostring(EventId) == '4616' -------------------------------------------------------------------------------- /WindowsEvent/User Added to Privileged Group.kql: -------------------------------------------------------------------------------- 1 | Use Case: Monitoring for group membership additions in Windows security event logs over the past week to detect potential unauthorized access or privilege escalation. 2 | 3 | Query: 4 | 5 | WindowsEvent('Security', 7d) 6 | | where tostring(EventId) == '4728' or tostring(EventId) == '4732' or tostring(EventId) == '4756' -------------------------------------------------------------------------------- /WindowsEvent/User Right Assigned.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying and analyzing security-related events, specifically the enabling of a user's right to perform privileged tasks, within the last 7 days in a Windows environment. 2 | WindowsEvent('Security', 7d) 3 | | where tostring(EventId) == '4704' -------------------------------------------------------------------------------- /WindowsEvent/Windows Update Installations.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Identifying system-related events with Event ID 19 within the last 7 days for IT security auditing purposes. 2 | WindowsEvent('System', 7d) 3 | | where tostring(EventId) == '19' -------------------------------------------------------------------------------- /WindowsQfe/Windows Quick Fix Engineering Hot Fixes.kql: -------------------------------------------------------------------------------- 1 | // Use Case: Retrieve a list of Windows Quick Fix Engineering (QFE) updates installed on a system, sorted by their installation date in descending order. 2 | WindowsQfe 3 | | order by InstalledDate desc 4 | -------------------------------------------------------------------------------- /media/howto.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ugurkocde/IntuneDeviceQuery/b2a9348dd0345930fa200d3207275eef5ff48727/media/howto.png --------------------------------------------------------------------------------