KQL Search

Detecting Abuse Of Sync Thing Tool To Steal Data

DeviceNetworkEvents

Author: Sergio AlbeaReleased: November 6th, 2025

Sliver C2beacon Loaded

DeviceImageLoadEventsDeviceEventsDeviceNetworkEvents

Author: Bert-Jan PalsReleased: November 6th, 2025

NRT Auto IR High Impact Alert

AlertEvidence

Author: Bert-Jan PalsReleased: November 4th, 2025

Entra Identify And Map Authentication Context Usage

SigninLogs

Author: Jay KeraiReleased: November 3rd, 2025

Access Review On Role Assignable Group Auto Deleted

AuditLogs

Author: Jay KeraiReleased: November 2nd, 2025

XDR Upn Alerts

AlertEvidenceAlertInfo

Author: Bert-Jan PalsReleased: November 1st, 2025

Detecting Modification Of Windows Security Audit Policy Auditpolexe

DeviceRegistryEvents

Author: Sergio AlbeaReleased: October 29th, 2025

Detecting Execution Of Windows Security Audit Policy Auditpolexe

DeviceProcessEvents

Author: Sergio AlbeaReleased: October 29th, 2025

Detect Suspicious Spn Logon From Workstation

IdentityLogonEventsDeviceNetworkInfoDeviceInfo

Author: Robbe Van den DaeleReleased: October 24th, 2025

Detect Dump Guard Ntlm Challenge

DeviceNetworkEvents

Author: Robbe Van den DaeleReleased: October 24th, 2025

Third Party Phishing Report Malfunction

OfficeActivity

Author: Jose Sebastián CanósReleased: October 21th, 2025

Audit When PIM Fails To Remove An Eligible Member From Role

AuditLogs

Author: Jay KeraiReleased: October 19th, 2025

Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware

EmailAttachmentInfoDeviceFileEventsDeviceEvents

Author: Sergio AlbeaReleased: October 16th, 2025

Identifying File Exfiltration Via RDP Sessions

DeviceFileEvents

Author: Sergio AlbeaReleased: October 15th, 2025

Cache Smuggle

DeviceProcessEvents

Author: Daniel CardReleased: October 14th, 2025

NTDS File Create Modify

DeviceFileEvents

Author: Ali HusseinReleased: October 13rd, 2025

Identities Bad Reputation ASN Activities

IdentityLogonEvents

Author: Sergio AlbeaReleased: October 10th, 2025

Security Event Unexpected Network Share Access In A Domain Controller

_GetWatchlistSecurityEvent

Author: Jose Sebastián CanósReleased: October 7th, 2025

Detect Azure Script Or Run Command By Risky User

AzureActivityAADUserRiskEvents

Author: Robbe Van den DaeleReleased: October 6th, 2025

Detect Executable Drop Via Azure

DeviceFileEvents

Author: Robbe Van den DaeleReleased: October 6th, 2025

Detect First Time Azure Custom Script Or Run Command

BehaviorAnalytics

Author: Robbe Van den DaeleReleased: October 6th, 2025

Detect Process Drop Via Azure Lateral Movement

DeviceFileEventsDeviceNetworkEvents

Author: Robbe Van den DaeleReleased: October 6th, 2025

MDA IP Address Type

CloudAppEvents

Author: Jay KeraiReleased: October 2nd, 2025

MDA File Download By Country

CloudAppEvents

Author: Jay KeraiReleased: October 2nd, 2025

Anomalies Anomalous Role Assignment

Anomalies

Author: Jose Sebastián CanósReleased: October 1st, 2025

XDR Device Alerts

AlertEvidenceAlertInfo

Author: Bert-Jan PalsReleased: September 28th, 2025

Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions

DeviceProcessEventsIdentityInfo

Author: Sergio AlbeaReleased: September 28th, 2025

Multiple Activity From Anonymous IP Addresses

AADUserRiskEventsSecurityAlertSigninLogsAADNonInteractiveUserSignInLogs

Author: Jose Sebastián CanósReleased: September 26th, 2025

Ingestion Delays

GraphAPIAuditEventsMicrosoftGraphActivityLogs

Author: Bert-Jan PalsReleased: September 23th, 2025

Removed Device Events

SecurityEventAuditLogs

Author: Jose Sebastián CanósReleased: September 23th, 2025

Multiple Microsoft Entra Threat Intelligence

AADUserRiskEventsSecurityAlertSigninLogs

Author: Jose Sebastián CanósReleased: September 18th, 2025

New KSMBD Do S CVE 2025 38501 Can Exhaust SMB Connections Via Half Open TCP Handshakes

DeviceInfoDeviceNetworkEvents

Author: Sergio AlbeaReleased: September 17th, 2025

Multiple Entra ID Protection Risk Events

EntraIDProtectionRiskEvents

Author: Jose Sebastián CanósReleased: September 17th, 2025

Analytics Entra ID Protection Risk Events

AADUserRiskEvents SecurityAlert SigninLogs AADNonInteractiveUserSignInLogs

Author: Jose Sebastián CanósReleased: September 17th, 2025

Multiple Risky AD FS Sign In

AADUserRiskEventsSigninLogs

Author: Jose Sebastián CanósReleased: September 17th, 2025

MDE Aggregated Reporting

DeviceFileEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEvents

Author: Alex VerboonReleased: September 17th, 2025

MDE Onboarding Status Timeline

DeviceInfo

Author: Alex VerboonReleased: September 17th, 2025

TH Wmic PS Encoded

DeviceProcessEvents

Author: Alex VerboonReleased: September 17th, 2025

Sign In Attempts Using Deprecated TLS Versions

AADSignInEventsBeta

Author: Sergio AlbeaReleased: September 16th, 2025

Hunt Critical Credentials On Non Tpm Devices

ExposureGraphNodesExposureGraphEdges

Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunt Critical Credentials On Devices With Non Critical Accounts

ExposureGraphNodesExposureGraphEdges

Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunt Public Remotly Exploitable Devices With High EPSS

ExposureGraphNodesDeviceNetworkEventsDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB

Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunting For Malicious Click Fix Cases From Airports

DeviceNetworkEvents

Author: Sergio AlbeaReleased: September 12nd, 2025

Add Custom Security Attribute Definition In An Attribute Set

AADCustomSecurityAttributeAuditLogs

Author: Jay KeraiReleased: September 10th, 2025

WDAC App Control Collect Data For App Control Manager

DeviceEvents

Author: Jay KeraiReleased: September 9th, 2025

Device Events App Locker Events

DeviceEvents

Author: Jay KeraiReleased: September 9th, 2025

Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device

SigninLogs

Author: Jay KeraiReleased: September 8th, 2025

Rclone Copy Process Args

DeviceProcessEvents

Author: Jay KeraiReleased: September 7th, 2025

Azure Function App Stopped Or Deleted

AzureActivity

Author: Jay KeraiReleased: September 5th, 2025

Azure Communication Services Deleted

AzureActivity

Author: Jay KeraiReleased: September 5th, 2025

KQL Search

Our Sponsors ❤️

Detecting Abuse Of Sync Thing Tool To Steal Data

Sliver C2beacon Loaded

NRT Auto IR High Impact Alert

Entra Identify And Map Authentication Context Usage

Access Review On Role Assignable Group Auto Deleted

XDR Upn Alerts

Detecting Modification Of Windows Security Audit Policy Auditpolexe

Detecting Execution Of Windows Security Audit Policy Auditpolexe

Detect Suspicious Spn Logon From Workstation

Detect Dump Guard Ntlm Challenge

Third Party Phishing Report Malfunction

Audit When PIM Fails To Remove An Eligible Member From Role

Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware

Identifying File Exfiltration Via RDP Sessions

Cache Smuggle

NTDS File Create Modify

Identities Bad Reputation ASN Activities

Security Event Unexpected Network Share Access In A Domain Controller

Detect Azure Script Or Run Command By Risky User

Detect Executable Drop Via Azure

Detect First Time Azure Custom Script Or Run Command

Detect Process Drop Via Azure Lateral Movement

MDA IP Address Type

MDA File Download By Country

Anomalies Anomalous Role Assignment

XDR Device Alerts

Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions

Multiple Activity From Anonymous IP Addresses

Ingestion Delays

Removed Device Events

Multiple Microsoft Entra Threat Intelligence

New KSMBD Do S CVE 2025 38501 Can Exhaust SMB Connections Via Half Open TCP Handshakes

Multiple Entra ID Protection Risk Events

Analytics Entra ID Protection Risk Events

Multiple Risky AD FS Sign In

MDE Aggregated Reporting

MDE Onboarding Status Timeline

TH Wmic PS Encoded

Sign In Attempts Using Deprecated TLS Versions

Hunt Critical Credentials On Non Tpm Devices

Hunt Critical Credentials On Devices With Non Critical Accounts

Hunt Public Remotly Exploitable Devices With High EPSS

Hunting For Malicious Click Fix Cases From Airports

Add Custom Security Attribute Definition In An Attribute Set

WDAC App Control Collect Data For App Control Manager

Device Events App Locker Events

Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device

Rclone Copy Process Args

Azure Function App Stopped Or Deleted

Azure Communication Services Deleted