Free · Continuously updated · 100% client-side

Microsoft Sentinel Toolkit

Operational tool for SOC teams and security analysts. Manage analysis rules, explore content packs, and access a curated KQL query library for Microsoft Sentinel — directly in your browser, no installation required.

Rules Manager

Connect to your Azure Sentinel workspace via Bearer Token. View, filter, bulk enable or disable analysis rules. Export to CSV for reporting and compliance audits.

Go to rules

KQL Repository

Curated library of KQL queries for threat hunting, detection, and investigation. Organized by Microsoft technology (MDE, MDI, Entra, Exchange…), with MITRE ATT&CK tags and quick copy.

Explore queries
Completely free

No license, no subscription. The toolkit is free and open to the entire security community.

Continuous updates

New KQL queries are added regularly based on emerging threats and user requests.

100% client-side

No data is sent to external servers. Everything happens in your browser, securely and privately.

How to get started

1
Get the Bearer Token

Run az account get-access-token --resource "https://management.azure.com" --query accessToken -o tsv in a terminal with Azure CLI authenticated.

2
Configure the connection

Go to the Rules tab and fill in the Subscription ID, Resource Group, and Workspace Name in the Azure Connection panel.

3
Manage rules and copy queries

Enable, disable, or export analysis rules. Go to the KQL Repository tab to copy queries directly into Sentinel or Advanced Hunting.

Developed by Inside Technologiesinsidetechnologies.it

KQL queries are continuously updated. To report an issue or request new queries, contact the development team.

Azure Connection

Get with: az account get-access-token --resource "https://management.azure.com" --query accessToken -o tsv

Processing...