KQL Queries

This page consolidates my go-to KQL Queries. Covering a broad range of uses from DFIR to Threat Hunting.

CMD Hunting

This KQL query identifies devices running curl commands in the last 7 days, retrieving process details like timestamps, device names, and account names. Replace curl with other commands or adjust the time range (e.g., ago(30d)) to fit your environment's monitoring needs. Results include process file names, command lines, and folder paths for investigation. 


DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where ProcessCommandLine has "curl"
    | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessFolderPath, AccountName
Last Updated: 2025-07-10

CMD Hunting by Host IP

This KQL query finds devices running curl commands in the last 7 days, linking to network events with IPs in 10.10.* or 10.12.*. Swap curl for other commands or adjust IP ranges (e.g., 10.10.* to your network’s subnet) to tailor it to your environment. Results are sorted by recent process timestamps for analysis. 


DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "curl"
| project ProcessEventTimestamp = Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessId, ProcessId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP startswith "10.10." or RemoteIP startswith "10.12."
    | project NetworkEventTimestamp = Timestamp, DeviceId, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessId, InitiatingProcessCommandLine, ReportId
) on DeviceId, InitiatingProcessId 
| project
    ProcessEventTimestamp,
    NetworkEventTimestamp,
    DeviceName,
    ProcessCommandLine,
    RemoteIP,
    RemotePort,
    LocalIP,
    LocalPort,
    InitiatingProcessFileName,
    InitiatingProcessId,
    ProcessId
| sort by ProcessEventTimestamp desc
Last Updated: 2025-07-10