Which Microsoft products does the generated KQL target?

Microsoft Sentinel, Defender XDR Advanced Hunting and Azure Log Analytics. You tell the skill which environment you are querying so it picks the right tables and schema, since column names differ between Defender and Sentinel.

Can it turn an investigation finding into a hunt?

Yes. That is a core use. Give it an indicator or a behaviour from an earlier investigation and it builds a KQL query to look for the same activity across your logs, which you can then save as a scheduled detection.

Is the KQL writing skill free?

Yes. It is part of the open-source, MIT-licensed CTI Skills pack, so you can run it, read how it constructs queries, and adapt it to your own Sentinel or Defender workflow at no cost.

CTI Skill · Detection engineering

KQL Query Writing.

/kql-writing

Writing a KQL query for Sentinel often means translating an investigation finding into the right tables, operators and joins. This skill does that translation for you. Describe what you want to hunt, name your environment, and it drafts a query for Microsoft Sentinel, Defender or Azure Log Analytics in correct Kusto syntax, ready to run or save as an analytics rule.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

The skill turns a finding or a hunting idea into a working KQL query. It selects the right tables for the data source, applies where, project, summarize, join and time filters in the correct order, and shapes the output for triage. It can translate an indicator or a behaviour from an upstream investigation into a hunt across your logs, and structure the query so it slots cleanly into a Sentinel detection rule.

When to use it.

Use it when you have a finding and need to check whether the same activity appears across your Microsoft estate, or when you want to convert intelligence into a scheduled detection. It suits CTI analysts and detection engineers working in Sentinel, Defender XDR or Azure Log Analytics who would rather describe the hunt than hand-build every join and aggregation.

What you get back.

A KQL query in valid Kusto syntax targeting the correct tables, with sensible time windows, filtering and projection, plus brief notes on what each stage does and where to tune thresholds. Where useful, it suggests the columns to surface for triage and how to adapt the query between a one-off hunt and a saved analytics rule.

How it fits your workflow.

It is one of the open-source CTI Skills that run inside an AI coding agent such as Claude Code. You work in your terminal, describe the hunt, and get a query you can paste into Sentinel or Defender Advanced Hunting. It chains neatly after a hash or malware investigation, taking the indicators those steps surface and turning them into a query across your Microsoft logs.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.