KQL Search

Sentinel Workspace Disconnected

CloudAppEvents

Author: Bert-Jan PalsReleased: August 18th, 2025

Entra Auditing Tenant Restrictions V2 Events

SigninLogs

Author: Jay KeraiReleased: August 15th, 2025

Sign In Logs B2B Access Restrictions

SigninLogs

Author: Jay KeraiReleased: August 15th, 2025

Graph API Audit Events Graph Resource API Request Stats

GraphAPIAuditEvents

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events Graph URIAPI Request Stats

GraphAPIAuditEvents

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events IP Enrichment

GraphAPIAuditEvents

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events App Enrichment External Data

GraphAPIAuditEvents

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events App Enrichment AAD Non Interactive User Sign In Logs

GraphAPIAuditEventsAADNonInteractiveUserSignInLogs

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events Azure Hound

MicrosoftGraphActivityLogs

Author: Bert-Jan PalsReleased: August 14th, 2025

Graph API Audit Events User Enrichment

GraphAPIAuditEventsIdentityInfo

Author: Bert-Jan PalsReleased: August 14th, 2025

Request An Actor Token For Graphwindowsnet Using Service To Service S2S

AuditLogs

Author: Jay KeraiReleased: August 14th, 2025

Email Events Sender TLD Count

EmailEvents

Author: Jay KeraiReleased: August 11st, 2025

Risk Based Step Up Consent RBSU For Application

AuditLogs

Author: Jay KeraiReleased: August 7th, 2025

App Consent To Risky Application

AuditLogs

Author: Jay KeraiReleased: August 6th, 2025

Identify Ip Assets From Mdeasm In Exposure Management That Match Ti

ThreatIntelligenceIndicatorExposureGraphNodes

Author: Michalis MichalosReleased: August 5th, 2025

Identify Mdeasm Hosts With High Or Critical Vulnerabilities And A Cvss Score Over 8

ExposureGraphNodes

Author: Michalis MichalosReleased: July 31th, 2025

Identify Assets From Mdeasm In Exposure Management That Match Ti

ThreatIntelligenceIndicatorExposureGraphNodes

Author: Michalis MichalosReleased: July 31th, 2025

Identify Assets From Mdeasm In Exposure Management

ExposureGraphNodes

Author: Michalis MichalosReleased: July 31th, 2025

Identify Cves In Mdeasm Web Pages Through Exposure Management

ExposureGraphNodesExposureGraphEdges

Author: Michalis MichalosReleased: July 31th, 2025

Successful Join Of Fake Device Using ROPC Query By Goldjg

SigninLogsAuditLogs

Author: Jay KeraiReleased: July 30th, 2025

Signin Logs Legacy Protocols Used In Entra ID Authentication

SigninLogs

Author: Jose Sebastián CanósReleased: July 30th, 2025

Multiple Unexpected Account Using A Power Shell App In Entra ID

UUID-EntraIdAppsResultType-SignInLogsErrorCodesRegEx-PrivDomainGroupsRegEx-PrivAADRolesIdentityInfoSigninLogsAADNonInteractiveUserSignInLogs

Author: Jose Sebastián CanósReleased: July 30th, 2025

Unified Microsoft Graph Logs

GraphAPIAuditEvents

Author: Thomas NaunheimReleased: July 30th, 2025

Detect Attempts To Modify Amcachehve Or SYSTEM File

DeviceFileEvents

Author: Sergio AlbeaReleased: July 29th, 2025

Enabled Data Connectors

SentinelHealth

Author: Rod TrentReleased: July 28th, 2025

Analytics Authentication Methods Changes

AuditLogs AADNonInteractiveUserSignInLogs

Author: Jose Sebastián CanósReleased: July 23th, 2025

Analytics Authentication Method Changes Old

AuditLogsAADNonInteractiveUserSignInLogs

Author: Jose Sebastián CanósReleased: July 23th, 2025

Last Password Change Time With Account Creation Time

AADSignInEventsBetaIdentityInfo

Author: Jay KeraiReleased: July 22th, 2025

Audit Mandatory Office Days Using Advanced Hunting

AADSignInEventsBeta

Author: Jay KeraiReleased: July 21th, 2025

Email AIR Effectiveness

EmailPostDeliveryEvents

Author: Bert-Jan PalsReleased: July 21th, 2025

RDP Trace Removal Detection

DeviceProcessEvents

Author: Sergio AlbeaReleased: July 18th, 2025

Enriched Microsoft Graph Activity

ExposureGraphNodesGraphAPIAuditEvents

Author: Thomas NaunheimReleased: July 17th, 2025

Multiple User Reported Unusual Sign In Event As Not Legitimate

AuditLogsSigninLogs

Author: Jose Sebastián CanósReleased: July 16th, 2025

Detect Direct Send Phishing Emails

SigninLogsEmailEvents

Author: Robbe Van den DaeleReleased: July 15th, 2025

Threat Intel Indicators Stopped Event Reception Threat Intel Indicators

ThreatIntelIndicators

Author: Jose Sebastián CanósReleased: July 9th, 2025

Common Security Log Stopped Event Reception Common Security Log Device Product

CommonSecurityLog

Author: Jose Sebastián CanósReleased: July 9th, 2025

Suspicious Explorer Child Process

DeviceProcessEvents

Author: Bert-Jan PalsReleased: July 4th, 2025

MDE Device Registry Events Tampering To Device Tag

DeviceRegistryEvents

Author: Jay KeraiReleased: July 3rd, 2025

Entra Sign Ins To Legacy Azure Active Directory Powershell

SigninLogs

Author: Jay KeraiReleased: July 3rd, 2025

Detect The Removal Of Evidence On Executed Programs

DeviceProcessEvents

Author: Sergio AlbeaReleased: July 2nd, 2025

Detect Bcedit Commands Related To Boot Configuration

DeviceProcessEvents

Author: Sergio AlbeaReleased: July 2nd, 2025

Suspicious Browser Child Process

DeviceProcessEvents

Author: Bert-Jan PalsReleased: July 2nd, 2025

Audit Logs Azure RBAC Elevated Access Operation

AuditLogs

Author: Jose Sebastián CanósReleased: June 30th, 2025

Identify Microsoft Sentinel Changes From Users Not Defined Within Approved User Groups

ExposureGraphEdgesIdentityInfoSentinelAudit

Author: Michalis MichalosReleased: June 30th, 2025

Identify Activities In Log Analytics Workspace Resource Locks

AzureActivity

Author: Michalis MichalosReleased: June 30th, 2025

Identify Log Analytics Contributor And Data Purger Role Assignment

AzureActivity

Author: Michalis MichalosReleased: June 30th, 2025

Monitor For Analytics Editing In Microsoft Sentinel

SentinelAudit

Author: Michalis MichalosReleased: June 30th, 2025

Ca Bypass First Party Apps

AADSignInEventsBetaSigninLogsAADNonInteractiveUserSignInLogs

Author: Thomas NaunheimReleased: June 29th, 2025

EEG Trace Lateral Movement

ExposureGraphNodesExposureGraphEdges

Author: Alex VerboonReleased: June 29th, 2025

EEG High Privilege Identities Across Subscriptions

ExposureGraphEdgesExposureGraphNodes

Author: Alex VerboonReleased: June 29th, 2025

KQL Search

Our Sponsors ❤️

Sentinel Workspace Disconnected

Entra Auditing Tenant Restrictions V2 Events

Sign In Logs B2B Access Restrictions

Graph API Audit Events Graph Resource API Request Stats

Graph API Audit Events Graph URIAPI Request Stats

Graph API Audit Events IP Enrichment

Graph API Audit Events App Enrichment External Data

Graph API Audit Events App Enrichment AAD Non Interactive User Sign In Logs

Graph API Audit Events Azure Hound

Graph API Audit Events User Enrichment

Request An Actor Token For Graphwindowsnet Using Service To Service S2S

Email Events Sender TLD Count

Risk Based Step Up Consent RBSU For Application

App Consent To Risky Application

Identify Ip Assets From Mdeasm In Exposure Management That Match Ti

Identify Mdeasm Hosts With High Or Critical Vulnerabilities And A Cvss Score Over 8

Identify Assets From Mdeasm In Exposure Management That Match Ti

Identify Assets From Mdeasm In Exposure Management

Identify Cves In Mdeasm Web Pages Through Exposure Management

Successful Join Of Fake Device Using ROPC Query By Goldjg

Signin Logs Legacy Protocols Used In Entra ID Authentication

Multiple Unexpected Account Using A Power Shell App In Entra ID

Unified Microsoft Graph Logs

Detect Attempts To Modify Amcachehve Or SYSTEM File

Enabled Data Connectors

Analytics Authentication Methods Changes

Analytics Authentication Method Changes Old

Last Password Change Time With Account Creation Time

Audit Mandatory Office Days Using Advanced Hunting

Email AIR Effectiveness

RDP Trace Removal Detection

Enriched Microsoft Graph Activity

Multiple User Reported Unusual Sign In Event As Not Legitimate

Detect Direct Send Phishing Emails

Threat Intel Indicators Stopped Event Reception Threat Intel Indicators

Common Security Log Stopped Event Reception Common Security Log Device Product

Suspicious Explorer Child Process

MDE Device Registry Events Tampering To Device Tag

Entra Sign Ins To Legacy Azure Active Directory Powershell

Detect The Removal Of Evidence On Executed Programs

Detect Bcedit Commands Related To Boot Configuration

Suspicious Browser Child Process

Audit Logs Azure RBAC Elevated Access Operation

Identify Microsoft Sentinel Changes From Users Not Defined Within Approved User Groups

Identify Activities In Log Analytics Workspace Resource Locks

Identify Log Analytics Contributor And Data Purger Role Assignment

Monitor For Analytics Editing In Microsoft Sentinel

Ca Bypass First Party Apps

EEG Trace Lateral Movement

EEG High Privilege Identities Across Subscriptions