Microsoft Sentinel KQL — the 20 queries every Australian SOC analyst should know (2026)

Microsoft Sentinel's analytics power lives in KQL. The Microsoft Sentinel content hub now ships several hundred templates, but the queries Australian SOC analysts reach for day-to-day are a much shorter list — twenty patterns that recur across identity, email, endpoint, network and compliance investigations. Each query below is production-tested in Australian mid-market and enterprise tenants. Save them, tune the thresholds to your environment, and wire the high-value ones into scheduled analytics rules.

Identity — the dominant attack surface

1. Impossible-travel sign-ins (last 24h)

SigninLogs | where TimeGenerated > ago(24h) | extend country = tostring(LocationDetails.countryOrRegion) | summarize countries = make_set(country), times = count() by UserPrincipalName | where array_length(countries) >= 2 | order by times desc — pairs naturally with Identity Protection's atypical travel signal but gives the analyst the raw view for hunting.

2. Sign-in from new country, last 7 days

Build a baseline of countries each user signed in from in the last 90 days, then alert on first-sign-in from a new country in the last 7. Best wired as a scheduled rule with a 7-day baseline window — high-fidelity signal for compromised credentials.

3. Privileged role activation outside business hours

AuditLogs | where OperationName == 'Add member to role' | where TimeGenerated !between (datetime(today + 7h) .. datetime(today + 19h)) — adjust for AEST. Flag PIM activations of Global Admin, Privileged Role Admin, Application Admin outside 7am–7pm AEST as 'review next morning'.

4. Failed sign-ins followed by success — credential spray success

SigninLogs | where ResultType != 0 | summarize Failures = count() by UserPrincipalName, bin(TimeGenerated, 1h) | where Failures > 10 | join (SigninLogs | where ResultType == 0) on UserPrincipalName — surfaces accounts that had brute attempts and then a successful login within the hour.

Email — Defender for Office signals

5. External email from look-alike domain to executive

EmailEvents | where RecipientEmailAddress in (<executive list>) | where SenderFromDomain has_any (<lookalike-domain-watchlist>) — drives the executive-impersonation alert pattern. The watchlist needs population per tenant (yourcompany.com vs yourc0mpany.com etc.).

6. Malicious URL clicked within 7 days, even if blocked

UrlClickEvents | where ActionType in ('ClickAllowed', 'UrlScannedBlocked') | where TimeGenerated > ago(7d) — even blocked clicks are an indicator of which users are being targeted.

7. Inbox rules that auto-delete or forward

OfficeActivity | where OfficeWorkload == 'Exchange' | where Operation in ('New-InboxRule', 'Set-InboxRule') | where Parameters contains 'DeleteMessage' or Parameters contains 'ForwardTo' — classic BEC persistence pattern. High fidelity.

Endpoint — Defender for Endpoint signals

8. PowerShell with encoded command from non-admin user

DeviceProcessEvents | where InitiatingProcessFileName == 'powershell.exe' | where ProcessCommandLine contains '-enc' or ProcessCommandLine contains '-EncodedCommand' | where InitiatingProcessAccountName !in (<admin-account-watchlist>) — surfaces obfuscated PS launched by non-admins. Cross-reference with ASR rule 'Block execution of potentially obfuscated scripts'.

9. ASR rule triggered, top 10 in last 7 days

DeviceEvents | where ActionType startswith 'Asr' | summarize count() by ActionType, FileName, InitiatingProcessFileName | top 10 by count_ — review weekly to find new exception candidates and detect emerging attack patterns.

10. Defender disabled or AV exclusion added

DeviceProcessEvents | where ProcessCommandLine contains 'Set-MpPreference' and (ProcessCommandLine contains '-DisableRealtimeMonitoring' or ProcessCommandLine contains 'ExclusionPath') — high-fidelity tamper signal.

Network — exfiltration patterns

11. Large data egress to non-corporate cloud storage

CloudAppEvents | where ActionType == 'FileUploaded' | where Application !in (<sanctioned-saas-list>) | summarize TotalMB = sum(FileSize)/1024/1024 by AccountObjectId, Application | where TotalMB > 100 — catch the Dropbox/Mega/personal-OneDrive exfil pattern.

12. DNS to known bad TLDs

DeviceNetworkEvents | where ActionType == 'DnsQuery' | where RemoteUrl endswith '.tk' or RemoteUrl endswith '.zip' or RemoteUrl endswith '.click' — tune the suspicious TLD list to your environment. Pair with Defender for Cloud Apps URL categorisation.

Cloud and Azure — privilege escalation

13. Role assignment to Owner / Contributor outside change window

AzureActivity | where OperationNameValue == 'Microsoft.Authorization/roleAssignments/write' | where ActivityStatusValue == 'Success' — alert on Owner or Contributor assigned outside an approved change window.

14. Service principal granted high-privilege Graph permissions

AuditLogs | where OperationName == 'Add app role assignment to service principal' | where TargetResources contains 'Mail.Read' or TargetResources contains 'Files.Read.All' or TargetResources contains 'Directory.ReadWrite.All' — classic OAuth app abuse pattern.

15. Storage account public access enabled

AzureActivity | where OperationNameValue == 'Microsoft.Storage/storageAccounts/write' | where Properties contains '"allowBlobPublicAccess":true' — catches a common data exposure misconfiguration.

Compliance and Insider Risk evidence

16. Departing-user activity — file downloads in notice period

OfficeActivity | join (HRConnector | where DepartureDate < ago(0d) and DepartureDate > ago(30d)) on UserId | where Operation in ('FileDownloaded','FileSyncDownloadedFull') — requires Purview HR connector. The most-cited Insider Risk indicator.

17. Sensitivity-labelled file shared externally

CloudAppEvents | where ActionType == 'SharingAdded' | where AdditionalFields contains 'Confidential' or AdditionalFields contains 'Highly Confidential' — wires sensitivity-label investment to outbound monitoring.

18. Litigation hold removed

OfficeActivity | where Operation == 'Set-Mailbox' and Parameters contains 'LitigationHoldEnabled' and Parameters contains 'False' — compliance evidence signal; rarely legitimate.

Operational — Sentinel health

19. Sentinel ingestion volume by source (cost watch)

Usage | where TimeGenerated > ago(7d) | summarize sum(Quantity)/1024 by DataType | order by sum_Quantity desc — daily inspection of the bill. Top three usually surface the optimisation candidates.

20. Analytics rules failing or disabled

SecurityAlert | where ProviderName == 'Microsoft Sentinel' | summarize lastRun = max(TimeGenerated) by AlertName | where lastRun < ago(7d) — flags rules that have stopped producing alerts (deployment regression or actual silence).

How to deploy these in your tenant

Save the high-value rules (impossible travel, OAuth app abuse, ASR tamper, Insider Risk departure) as scheduled analytics rules with appropriate thresholds. Save the hunting-pattern queries (suspicious TLDs, large data egress, executive lookalike domains) as hunting queries to run weekly. Wire the Sentinel ingestion cost query (#19) to a recurring email — most cost surprises are visible at day 2 of the month, but only if someone is looking.