Skip to content

microsoft/kql-query-store

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
data
data
 
 
dev-notebooks
dev-notebooks
 
 
images
images
 
 
kqlextraction
kqlextraction
 
 
pages
pages
 
 
src
src
 
 
test_runs
test_runs
 
 
.gitignore
.gitignore
 
 
1_🏠HomePage.py
1_🏠HomePage.py
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
SUPPORT.md
SUPPORT.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Interactive KQL Query Store

Streamlit App

Currently many KQL queries are published on GitHub by Microsoft and Security Community on GitHub. All the queries are scattered as unstructured data and disorganized in various places making it difficult to discover for defenders and detection authors.

GitHub search interface is not flexible to satisfy various custom search needs for defenders to effectively search various KQL queries by datasource , KQL operators , parsing of complex fields in data sources, custom tags if available etc. Having it easy to discover will help defenders in referencing existing work while writing new queries, reuse complex parsing examples in specific data sources and much more.

Project Goals

  • Organized data store of KQL queries as a structured data store
  • Easy discoverability of KQL Queries based on tags, KQL operators, Datasource etc.
  • Point to relevant sources and GitHub links.
  • Interactive dashboard to explore the structured data.
  • Insights on various KQL queries from Azure Sentinel

Architecture

raw_image

Docker instruction

if you wish to host this locally/in-house, you can use below instructions to build docker images and host it. For more detailed instructions, check out Streamlit docs. Deploy Streamlit using Docker

Build image

docker build -t kql-query-store .

Run the docker container

docker run -p 8501:8501 kql-query-store

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

14 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages