This repository contains a collection of queries designed to serve as starting points for custom investigation questions in the Command Zero autonomous investigation platform. These queries cover a variety of common threat hunting and investigation scenarios.
- Microsoft Sentinel
- Microsoft Defender XDR Advanced Hunting
- Microsoft Sentinel: KQL queries optimized for Microsoft Sentinel data sources, focusing on identity, authentication, and permission-related threats.
- Microsoft Defender XDR Advanced Hunting: KQL queries for Microsoft Defender XDR Advanced Hunting, covering device, email, and network-based threat detection.
Each query is documented with comments explaining its purpose and can be directly imported into Command Zero or customized to meet your specific environmental requirements. These examples demonstrate effective techniques for threat hunting across various attack vectors including brute force attempts, suspicious authentications, phishing campaigns, and unusual administrative activities.
We welcome special requests for additional investigation questions or modifications to existing ones. If you have specific threat hunting scenarios you'd like to see addressed, please contact the Command Zero team through our regular support channels. Our goal is to continuously expand this collection based on customer needs and emerging threats.
