50
detection queries in this library, organized by MITRE ATT&CK tactic across Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, and Exfiltration
KQL
Kusto Query Language: Microsoft Sentinel's native detection language, also used in Azure Data Explorer, Azure Monitor, and Microsoft Defender products
80%
of detection rules in this library require only three log source tables: SecurityEvent (Windows), SigninLogs (Entra ID), and AuditLogs (M365/Entra ID changes)
MITRE v15
queries are mapped to MITRE ATT&CK Enterprise Framework version 15, the current release as of 2026

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

KQL (Kusto Query Language) is Microsoft Sentinel's native detection language, but production-ready detection queries are scattered across the Sentinel GitHub repository, Microsoft documentation, and individual blog posts. This library consolidates 50 high-fidelity queries organized by MITRE ATT&CK tactic. Each entry includes the required log source tables, the KQL query, a plain-English explanation of what it detects, and the most common false positive source to tune against before enabling in enforcement mode. All queries are tested against Sentinel Log Analytics workspaces with real data and are suitable for use as Scheduled Query Rule analytics rules.

How to Use This Library

Each query in this library is structured for direct use as a Microsoft Sentinel Scheduled Query Rule. To deploy a query as an analytics rule: navigate to Sentinel > Analytics > Create > Scheduled query rule, paste the query into the Rule query field, set the frequency and lookback window as specified in the entry, and configure entity mapping for any IP address, account, or host entities referenced in the query results.

Before enabling any rule in enforcement mode (where it creates incidents), run it against 30 days of historical data using the Log Analytics query editor to validate expected results and identify false positive patterns. Rules with high false positive rates should be deployed in observation mode (alert rule with low-severity, no automatic incident creation) for tuning before promotion to incident-generating rules.

Three log source tables are required for the majority of this library's queries: SecurityEvent (Windows Security event log forwarded via Azure Monitoring Agent or Log Analytics Agent), SigninLogs (Entra ID sign-in telemetry, enabled in Entra ID Diagnostic Settings), and AuditLogs (Entra ID and Microsoft 365 change events). Enable these three tables first and you will have the data required for approximately 80 percent of the queries in this library.

Initial Access Detections

Initial Access techniques represent how adversaries gain a foothold. The highest-value detections target credential-based attacks against cloud identity and phishing indicators in email telemetry.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Execution and Persistence Detections

Execution detections focus on process creation anomalies visible in Windows Security event telemetry. Persistence detections target scheduled tasks, registry run keys, and account creation events.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Privilege Escalation Detections

Privilege escalation detections focus on token manipulation, role assignments in cloud identity, and the use of built-in tools to gain elevated access.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Defense Evasion Detections

Defense evasion detections focus on log clearing, diagnostic setting deletion, and the disabling of security controls -- all actions that adversaries take to reduce detection visibility.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Credential Access Detections

Credential access detections cover brute force, Kerberoasting, and credential exposure in cloud storage -- the three most common credential theft patterns observed in Microsoft cloud environments.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Lateral Movement Detections

Lateral movement detections focus on Remote Desktop Protocol (RDP) anomalies, pass-the-hash patterns, and service account misuse across Windows event telemetry.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Exfiltration and Impact Detections

Exfiltration detections target data transfer volume anomalies, email forwarding rule creation, and SharePoint mass download events -- the most common cloud data theft patterns.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Deploying These Rules in Production

Detection rules are not set-and-forget artifacts. Production deployment requires a quality gate process, a tuning cadence, and an owner for each rule.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

A KQL detection library is only as valuable as the process around it. These 50 queries are a starting point -- the production rules for your environment will require tuning against your specific log sources, your organization's behavior baseline, and your threat model priorities. Start with the highest-fidelity rules (password spray, Office-spawning-shell, event log cleared, CA policy deleted) that have near-zero false positive rates before investing time in tuning the behavioral baselines. The Microsoft Sentinel community GitHub repository and the MITRE ATT&CK Detection Coverage project are the best ongoing sources for new detection ideas once this library is fully deployed and tuned.

Sources & references

  1. MITRE ATT&CK Enterprise Framework v15
  2. Microsoft Sentinel Analytics Rules documentation
  3. Microsoft Sentinel GitHub Community Detection Rules
  4. KQL Quick Reference

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.