Tampermonkey userscript that adds a threat hunting query menu to Microsoft Sentinel and Microsoft Defender Advanced Hunting pages.
Browse, search, pin, and inject KQL queries directly into the Monaco editor.
| Defender (dark mode) | Sentinel | Sentinel (popup) |
|---|---|---|
 |
 |
 |
- Inline "Threat Hunting Queries" button in the command bar
- Tabs: User Rules (bundled), Reprise99, Bert-JanP, FalconFriday (fetched from GitHub)
- Category filter chips for quick sub-filtering within each repo tab
- Search across query name, description, category, and KQL content
- Pin queries for quick access (horizontal pill bar above results)
- Click any query row to inject it into the editor
- Works in both Sentinel (reactblade iframe) and Defender (security.microsoft.com)
- Light/dark theme support via Azure Portal CSS variables
- Install Tampermonkey
- Click Install Userscript (auto-installs in Tampermonkey)
- Navigate to Advanced Hunting in Sentinel or Defender
| Repo | Queries | Format |
|---|---|---|
| reprise99/Sentinel-Queries | ~460 | .kql files |
| Bert-JanP/Hunting-Queries-Detection-Rules | ~445 | .md with fenced KQL |
| FalconForceTeam/FalconFriday | ~40 | .md with fenced KQL |
Rules are fetched lazily on first tab click, cached locally for 12 hours.
npm install
npm run build
Output: dist/sentinel-userscript.user.js
- SentinelOne Userscript - Similar project for SentinelOne