Empowering Security Teams with Clean Queries
The KQL Script Formatter was built to bridge the gap between messy hunting queries and optimized, production-ready Sentinel logic. Efficient queries save time, reduce costs, and catch threats faster.
Developer Profile
Created by **Xcode96**, a Security Engineering enthusiast focused on automation and threat hunting efficiency. This project is part of a continuous effort to provide open-source tools for the global security community.
Tech Stack
Automation & Hunting Playbooks
Automated Identity Protection
Use this script to automatically flag anomalous sign-in patterns in Sentinel Logic Apps. It extracts geodata and calculates probability scores.
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize count() by UserPrincipalName, Location, IPAddress
| where count > 50
Process Injection Detection
A hypothesis-driven hunting query to find potential C2 activity by analyzing irregular parent-child process relationships.
| where ProcessCommandLine has_any ("powershell", "cmd", "wmic")
| where ParentProcessFileName has_any ("winword.exe", "excel.exe")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
Automation & Workflow
Sentinel Automation
KQL formatted by this tool is optimized for **Microsoft Sentinel Playbooks**. Clean syntax prevents logic errors when mapping dynamic parameters in Logic Apps.
- Dynamic ParametersUse let statements to define variables that can be overridden by Logic App parameters.
- Parsing EfficiencyPre-format parse_json logic to ensure clean object extraction in automated responses.
- ASIM MappingFormat your queries to align with Advanced Security Information Model for cross-source hunting.
Threat Hunting Loop
Adopt a hypothesis-driven approach. Use optimized KQL to pivot between data sources without losing context of the attack chain.
Map queries to T-IDs (e.g., T1059) by filtering for specific process parameters and parent-child relationships in `DeviceProcessEvents`.
Start with broad aggregations using `summarize` to find outliers, then drill down using specific `where` clauses.
SOC Data Schemas
| Table Name | Core Purpose | Key Columns |
|---|---|---|
| SecurityEvent | Windows Security Logs | EventID, Account, Computer, IPAddress |
| DeviceProcessEvents | EDR Process Execution | FileName, ProcessCommandLine, AccountName |
| SigninLogs | Azure AD Auth Events | ResultType, UserPrincipalName, Location |
| CommonSecurityLog | Firewall/CEF Event Data | DeviceAction, SourceIP, DestinationPort |
How It Works
Load
Select a script from our library of 460+ SOC templates or paste your own raw KQL query.
Format
Click "Format" to instantly apply proper indentation, casing, and vertical spacing rules.
Optimize
Run the engine to identify performance bottlenecks and get better operator suggestions.
Deploy
Copy the clean code or download it as a .kql file for your Sentinel or Defender portals.
KQL Masterclass
Filtering Logic
whereFilters rows based on a predicate. Always place this as early as possible.
has vs containsUse "has" for 30% faster string lookups on full tokens.
Aggregation
summarizeGroups rows by one or more columns and computes metrics.
dcount()Estimates the number of distinct values in a column.
Pro Tip
"A query that scans a million rows and project only 2 columns is 10x faster than one that projects all columns."
— SENTINEL ARCHITECT GUIDESecurity Built-In
This tool processes all data locally in your browser. No KQL scripts, account names, or log data are ever transmitted to our servers. Full compliance with SOC2 and local data privacy standards.