The objective of this repository is to gather KQL queries related to the Microsoft Entra product family. The content of this repository includes KQL queries that I have needed in my daily work in some way, as well as KQL queries related to blog posts on my website . The hope is that other people can benefit from the content in this repository in their everyday work with Microsoft Entra
The KQL queries in this repository are intended to either help provide insights into various actions or be used for monitoring in Microsoft Sentinel.
I recommend this blog post on how to run a Lifecycle Workflow based on an alert from Microsoft Sentinel: Using Entra ID Governance and Sentinel to assure user alignment with HR data
Many of the queries will have this in line 2: // Usecase: Insights and/or monitoring alert via Sentinel/Azure Monitor. This is to help highlight the intended purpose for those queries.
This repository is divided into the following categories: