KQL Detection Query Library for Microsoft Sentinel: 50 High-Fidelity Queries Mapped to MITRE ATT&CK

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
KQL (Kusto Query Language) is Microsoft Sentinel's native detection language, but production-ready detection queries are scattered across the Sentinel GitHub repository, Microsoft documentation, and individual blog posts. This library consolidates 50 high-fidelity queries organized by MITRE ATT&CK tactic. Each entry includes the required log source tables, the KQL query, a plain-English explanation of what it detects, and the most common false positive source to tune against before enabling in enforcement mode. All queries are tested against Sentinel Log Analytics workspaces with real data and are suitable for use as Scheduled Query Rule analytics rules.
How to Use This Library
Each query in this library is structured for direct use as a Microsoft Sentinel Scheduled Query Rule. To deploy a query as an analytics rule: navigate to Sentinel > Analytics > Create > Scheduled query rule, paste the query into the Rule query field, set the frequency and lookback window as specified in the entry, and configure entity mapping for any IP address, account, or host entities referenced in the query results.
Before enabling any rule in enforcement mode (where it creates incidents), run it against 30 days of historical data using the Log Analytics query editor to validate expected results and identify false positive patterns. Rules with high false positive rates should be deployed in observation mode (alert rule with low-severity, no automatic incident creation) for tuning before promotion to incident-generating rules.
Three log source tables are required for the majority of this library's queries: SecurityEvent (Windows Security event log forwarded via Azure Monitoring Agent or Log Analytics Agent), SigninLogs (Entra ID sign-in telemetry, enabled in Entra ID Diagnostic Settings), and AuditLogs (Entra ID and Microsoft 365 change events). Enable these three tables first and you will have the data required for approximately 80 percent of the queries in this library.
Initial Access Detections
Initial Access techniques represent how adversaries gain a foothold. The highest-value detections target credential-based attacks against cloud identity and phishing indicators in email telemetry.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Execution and Persistence Detections
Execution detections focus on process creation anomalies visible in Windows Security event telemetry. Persistence detections target scheduled tasks, registry run keys, and account creation events.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Privilege Escalation Detections
Privilege escalation detections focus on token manipulation, role assignments in cloud identity, and the use of built-in tools to gain elevated access.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Defense Evasion Detections
Defense evasion detections focus on log clearing, diagnostic setting deletion, and the disabling of security controls -- all actions that adversaries take to reduce detection visibility.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Credential Access Detections
Credential access detections cover brute force, Kerberoasting, and credential exposure in cloud storage -- the three most common credential theft patterns observed in Microsoft cloud environments.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Lateral Movement Detections
Lateral movement detections focus on Remote Desktop Protocol (RDP) anomalies, pass-the-hash patterns, and service account misuse across Windows event telemetry.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Exfiltration and Impact Detections
Exfiltration detections target data transfer volume anomalies, email forwarding rule creation, and SharePoint mass download events -- the most common cloud data theft patterns.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Deploying These Rules in Production
Detection rules are not set-and-forget artifacts. Production deployment requires a quality gate process, a tuning cadence, and an owner for each rule.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
A KQL detection library is only as valuable as the process around it. These 50 queries are a starting point -- the production rules for your environment will require tuning against your specific log sources, your organization's behavior baseline, and your threat model priorities. Start with the highest-fidelity rules (password spray, Office-spawning-shell, event log cleared, CA policy deleted) that have near-zero false positive rates before investing time in tuning the behavioral baselines. The Microsoft Sentinel community GitHub repository and the MITRE ATT&CK Detection Coverage project are the best ongoing sources for new detection ideas once this library is fully deployed and tuned.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
