Frontrow Technology
← All insights & guides
Guide

Sentinel — KQL

Sentinel KQL: 20 queries every Australian SOC analyst should know in 2026

A working KQL cheatsheet for Microsoft Sentinel — sign-in anomalies, OAuth consent grants, Defender alerts, file exfiltration, AU-specific geo and time anomalies — with notes on tuning for AU tenants.

Daniel Brown · Last reviewed 23 May 2026 · 10 min read

Kusto Query Language is the cost of entry for any analyst running Microsoft Sentinel. It is also the cost of entry for hunting inside Defender XDR — both products use the same KQL dialect against effectively the same schema. The list below is twenty queries every Australian SOC analyst should be able to write from memory by the end of their first six months. None of them is novel; collectively they are the spine of day-to-day detection and hunting work in an AU tenant.

Identity — sign-in anomalies

  1. 1Successful sign-ins from countries not on the AU staff travel pattern (Australia, New Zealand, US, UK, Singapore depending on org) over the last 7 days, grouped by user and country.
  2. 2Sign-ins flagged as risky by Entra ID Protection in the last 24 hours, joined with whether the risk was remediated by the user or by an admin.
  3. 3Legacy authentication still occurring after a Conditional Access block-legacy-auth policy is in place — usually surfaces a forgotten service account or a misconfigured mailbox client.
  4. 4Sign-in failures grouped by user and IP, filtered to where failure count > 20 over 1 hour — surfaces password-spray and brute-force attempts.
  5. 5Successful sign-ins after a prior block — surfaces evidence that a Conditional Access policy is more lenient than intended.

OAuth and consent

  1. 1AuditLogs entries where the operation is 'Consent to application' — surfaces newly-granted OAuth grants to investigate.
  2. 2Service principal sign-ins where the application is unfamiliar — useful for finding tokens used by stolen-credential automation.
  3. 3Mass mailbox-rule creation in Exchange (sweep, forward-all-to-RSS) — high-confidence indicator of post-compromise.

Defender XDR signal correlation

  1. 1AlertEvidence joined with DeviceEvents — pivots from a Defender for Endpoint alert into the surrounding device process activity, the single most useful hunting pivot inside Defender XDR.
  2. 2EmailEvents → EmailUrlInfo → DeviceNetworkEvents — surfaces users who clicked a Safe Links-rewritten URL that was later sandboxed as malicious (the 'we clicked, then it was flagged' window).
  3. 3DeviceLogonEvents where LogonType is RemoteInteractive and the source IP is outside the AU corporate VPN range.

Exfiltration patterns

  1. 1OneDrive and SharePoint download volume per user over the trailing 7 days, sorted by total bytes — surfaces departing employees and unusual bulk downloads.
  2. 2ExternalEmailRecipientCount where DeliveryAction is Delivered, filtered to recipients in personal-email-domain lists (gmail.com, hotmail.com, outlook.com personal) — surfaces forwarding-to-self.
  3. 3USB write events from Defender for Endpoint (DeviceEvents ActionType DeviceEventsActionTypePnpDeviceConnected/USB) — useful in jurisdictions where USB control is part of the policy posture.

AU-specific geo and time

  1. 1Sign-ins outside Australian business hours (defined per role) combined with a non-AU IP — surfaces account takeover during the AU overnight window when most users are not active.
  2. 2Sign-ins with impossible travel — Entra ID Protection flags this, but a KQL variant tuned to a custom travel window (e.g. 4 hours intercontinental rather than 1 hour) reduces noise on legitimate travelling staff.
  3. 3Privileged-role activations after hours — joined to AuditLogs PIM activation events, filtered to outside-business-hours and the actor's normal work time zone.

Hunting and threat intelligence

  1. 1ThreatIntelligenceIndicator → DeviceNetworkEvents — surfaces communication with known-bad IPs/domains from Microsoft Defender Threat Intelligence feeds.
  2. 2EmailEvents where SenderFromAddress contains an executive name but SenderFromDomain is not your domain — a simple BEC heuristic.
  3. 3EmailEvents joined with EmailAttachmentInfo where FileName matches encrypted-archive patterns (.zip, .7z, .rar with password) sent from outside.

Tuning these for AU tenants

Each of these queries needs a tuning pass against the specific tenant before being promoted from hunting query to analytics rule. The most common false positives in AU mid-market are: legitimate staff travel to Bali, Singapore and Tokyo (geo rules), legitimate after-hours work by leadership (privileged role rules), and legitimate bulk downloads by sales/marketing teams running campaign exports. The discipline is to start every rule in alert-only mode for two weeks, tune, then promote. The cost of a noisy analytics rule in Sentinel is not just analyst fatigue — it is the Log Analytics ingestion volume from the rule's joined tables.

Try it

Cost-model your Sentinel ingestion

Tuning queries is half the cost story. The other half is the ingestion plan. Model PAYG vs commitment tiers against your tenant.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466