Tools
XQL Investigation Notes
Reusable Cortex-style query thinking for auth, process, network, and timeline pivots.
View on Graph
Query Shape
Begin with user, host, process, IP, or alert ID. Keep each query tied to one question so results are easy to defend.
Timeline
Build a timeline from earliest suspicious signal through containment. Keep benign context visible so escalation notes stay fair.
Hand-Off
Include the query, key rows, time range, and why the evidence matters when escalating.
Related
- Kusto Query Language (KQL) — detection and response for T1654 techniques
- SIEM Log Management — detection and response for TA0040 techniques
- Azure Sentinel — detection and response for T1654 techniques
- Log Sources Overview — covers the log sources overview concepts
- Splunk — detection and response for T1654 techniques