ATT4CKQL
Enhanced KQL Queries for Microsoft Sentinel based on MITRE ATT&CK Techniques
1. Overview
ATT4CKQL is a comprehensive collection of Kusto Query Language (KQL) queries specifically designed for Microsoft Sentinel. These queries are mapped to MITRE ATT&CK techniques and are optimized to detect sophisticated threats across multiple detection sources.
The project aims to provide security teams with ready-to-use, enhanced detection capabilities that leverage the power of Microsoft Sentinel while following the MITRE ATT&CK framework for a structured approach to threat detection.
View on GitHub2. How to Use This Project
To make the most of ATT4CKQL, follow these steps:
- Browse the Detection Sources: Use the table below to navigate to specific detection sources based on your environment.
- Review the Queries: Each detection source page contains KQL queries mapped to specific MITRE ATT&CK techniques.
- Implementation: Copy the queries and implement them in your Microsoft Sentinel environment.
- Customization: Modify the queries as needed to fit your specific environment parameters.
- Testing: Before deploying in production, test the queries in a controlled environment to validate their effectiveness.
The queries in this project are categorized based on their use case:
- Hunting Queries: For proactive threat hunting exercises
- Near Real-Time Detection: For alerts that require immediate attention
- Microsoft Sentinel Functions: Reusable query components that can be called from other queries
3. Table of Contents
Browse through our detection sources to find KQL queries relevant to your environment:
| Detection Source | Number of Queries | Hunting Support | Near Real-Time | Sentinel Functions | Last Updated |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Loading... | Yes | Yes | Yes | 2025-03-07 |
| Azure | Loading... | Yes | Yes | Yes | 2025-03-01 |
| Active Directory | Loading... | Yes | Yes | Yes | 2025-03-15 |
| Google Cloud Platform (GCP) | Loading... | Yes | Yes | No | 2025-02-18 |
| Entra ID (formerly Azure AD) | Loading... | Yes | Yes | Yes | 2025-02-25 |
| Microsoft 365 | Loading... | Yes | Yes | Yes | 2025-02-22 |
| Microsoft Defender | Loading... | Yes | Yes | Yes | 2025-03-05 |
4. Best Practices
- Test queries in development environment first - Always validate queries against sample data before deploying to production
- Customize thresholds and parameters - Adjust detection thresholds based on your environment's baseline
- Review false positives regularly - Fine-tune queries to reduce noise while maintaining detection efficacy
- Implement proper alerting - Set up appropriate notification channels and escalation procedures
- Document customizations - Keep track of any modifications made to the base queries