Writeups

Reference material — KQL queries, framework notes, CTF writeups, and anything else that's more lookup table than narrative. The blog is for posts; this is for queries and tables you come back to.

KQL queries

KQL Beginners Guide

guide · reference

Hands-on walkthrough of KQL fundamentals — operators, scalar functions, aggregations, and the small daily patterns an analyst actually uses against Sentinel data. Originally drafted as onboarding material; left here as a public reference.
kqlsentinelguide
Hunting cookbook (coming)

cookbook · in progress

A growing index of hunts — what each is looking for, the underlying KQL, and notes on tuning false positives. Ranged across DeviceLogonEvents, SecurityEvents, Syslog, and friends.
kqlhunting

Framework notes

NIST 800-53 — control mapping cheatsheet (coming)

framework · in progress

Quick-lookup table for mapping NIST 800-53 controls to detection sources, audit evidence types.
nistcompliance
MITRE ATT&CK — tactic-to-data-source crosswalk (coming)

framework · in progress

Which ATT&CK tactics show up in which Microsoft Sentinel / Defender tables, with sample queries. Companion to the MitreAttackExplorer module.
mitreattacksentinel

Want to contribute a query or correction? The site is on GitHub — open an issue or PR.

Writeups

KQL queries

KQL Beginners Guide

Hunting cookbook (coming)

Framework notes

NIST 800-53 — control mapping cheatsheet (coming)

MITRE ATT&CK — tactic-to-data-source crosswalk (coming)