Skip to content
/ NRT-KQL Public

To create NRT rules, we needed to be certain about the KQL syntax that can and cannot be used. This led us to create our own documentation.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

FalconForceTeam/NRT-KQL

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
functions.json
functions.json
 
 
operators.json
operators.json
 
 
statements.json
statements.json
 
 
tables.json
tables.json
 
 

Repository files navigation

NRT-KQL

To create NRT rules, we needed to be certain about the KQL syntax that can and cannot be used. This led us to create our own documentation by following five simple steps:

  • Take a deep breath.Browse through Microsoft’s KQL documentation.
  • Evaluate NRT convertibility in Defender.
  • Evaluate NRT convertibility in Sentinel.
  • Repeat.
  • After many deep breaths, we ended up with more than 500 KQL syntax elements evaluated and sorted these into four categories: tables, functions, operators, and statements.

For every category, we created a JSON file and populated it with our findings. The JSON follows the format:

“m365”: {
  “Accepted”: [],
  “Prohibited”: []
},
“Sentinel”: {
  “Accepted”: [],
  “Prohibited”: []
}

About

To create NRT rules, we needed to be certain about the KQL syntax that can and cannot be used. This led us to create our own documentation.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published