Khiok Hwa Steven Lim
Empowering Defenders with KQL & Microsoft Security
📋 Biography
Steven Lim, widely known as “KQLWizard,” is passionate about helping defenders succeed with Microsoft Sentinel and Defender XDR. Ranked #1 in Cybersecurity Singapore and top 50 globally by Favikon, he has built a strong, authentic presence across LinkedIn and X sharing 700+ posts with nearly 10 million impressions. Steven contributes high-fidelity hunting queries to GitHub and KQLSearch.com, enabling practitioners to operationalize threat intelligence faster and strengthen SOC capabilities. As a technical advisor to Detections.AI, he supports a thriving community of 10,000+ security engineers, fostering collaboration and knowledge sharing. Through mentorship, open-source projects, and community events, Steven is committed to making Microsoft’s security technologies more approachable, actionable, and inclusive—especially for emerging professionals and underrepresented communities.
✨ High-Impact Contributions 5
Inspired by Kaseya’s recent exposé, I dive into how attackers weaponize legitimate Apple and PayPal emails — and share KQL hunting queries, infrastructure insights, and real-world indicators to help defenders spot what authentication alone can’t.
KQL for Defender XDR, Microsoft Sentinel & other Microsoft Solutions 1. https://github.com/SlimKQL/Detections.AI/blob/main/KQL/openclaw-installation-detection-on-mde.kql 2. https://github.com/SlimKQL/Detections.AI/blob/main/KQL/docmagic-impersonation-campaign-redirects-users-to-tycoon2fa-phishing-pages.kql 3. https://github.com/SlimKQL/Detections.AI/blob/main/KQL/hunting-paypal-dkim-replay-attacks.kql 4. https://github.com/SlimKQL/Detections.AI/blob/main/KQL/windows-notepad-vulnerability-rce-detection.kql 5. https://github.com/SlimKQL/Detections.AI/blob/main/KQL/clickfix-nslookup-abuse-detection.kql
I contributed over 400 high-fidelity KQL hunting queries and detections to the Detections.AI SlimKQL User Group, focused on Microsoft Sentinel and Defender XDR. These contributions help defenders operationalize threat intelligence faster, improve detection coverage, and reduce false positives. Each query is designed to be modular, scalable, and aligned with real-world attack patterns. By sharing these resources openly, I’ve empowered thousands of security engineers to accelerate their detection engineering workflows, strengthen their SOC capabilities, and adopt Microsoft’s SIEM/XDR technologies more effectively across diverse environments.
I authored “KQL Grimoire Part 2” in April 2025 to advance the community’s understanding of high-fidelity detection engineering in Microsoft Sentinel and Defender XDR. The article introduces the concept of signal stacking—layering weak behavioral indicators to create stronger, actionable detections—and showcases modular KQL design patterns that improve scalability and maintainability. By sharing practical examples and engineering-focused strategies, I helped defenders move beyond basic IOC matching toward more resilient, signal-driven detection logic. This content has empowered practitioners to write more effective queries, reduce false positives, and deepen their mastery of KQL—the core language behind Microsoft’s SIEM/XDR platforms.
Beyond social media, I actively contribute to open-source projects. I’ve published 322 hunting queries and detections on GitHub, focused on Microsoft Sentinel and Defender XDR. These contributions have earned 756 GitHub stars, reflecting their practical value to the community.