KQL Search

IntuneAuditLogsBehaviorEntitiesIdentityInfo+1

Delete An Intune Multi Approval Policy By User With Uncommon Or Risky Behavior

Thomas Kurth|Jan 4, 2026

IntuneAuditLogsBehaviorEntitiesIdentityInfo+1

User With Uncommon Or Risky Behavior Is Deploying An Application With Intune To All Users Or All Devices

Thomas Kurth|Jan 4, 2026

IntuneAuditLogsBehaviorEntitiesIdentityInfo+1

User With Uncommon Or Risky Behavior Is Deploying A Script With Intune To All Users Or All Devices

Thomas Kurth|Jan 4, 2026

IntuneAuditLogsIdentityInfoGraphAPIAuditEvents+1

Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune

Thomas Kurth|Jan 4, 2026

IntuneAuditLogs

Mass Wipe Or Retire Device Action

Thomas Kurth|Jan 4, 2026

SigninLogsAADNonInteractiveUserSignInLogsNetworkAccessTraffic

Consent Fix Hunting Confidence On Token And Network Signals

Thomas Naunheim|Jan 2, 2026

KnowExploitesVulnsCISA

CISAKEV Year To Date Vulnerabilities

Bert-Jan Pals|Dec 30, 2025

KnowExploitesVulnsCISA

CISAKEV Year To Date Vulnerabilities Product

Bert-Jan Pals|Dec 30, 2025

KnowExploitesVulnsCISA

CISAKEV Year To Date Vulnerabilities Release Year

Bert-Jan Pals|Dec 30, 2025

KnowExploitesVulnsCISA

CISAKEV Year To Date Vulnerabilities Edge Devices

Bert-Jan Pals|Dec 30, 2025

AADSignInEventsBeta

AADSTS Errorcodes KQL

Benjamin Zulliger|Dec 30, 2025

DeviceProcessEvents

MDE Data Collection

Alex Verboon|Dec 22, 2025

DeviceProcessEvents

Mshta Executions

Bert-Jan Pals|Dec 22, 2025

DeviceTvmCertificateInfoDeviceInfoDeviceTvmSoftwareVulnerabilities

MDE Digi Cert Global Root G2

Alex Verboon|Dec 19, 2025

SigninLogs

Correlation Id Equals Tenant Id In Peculiar Password Spray

Jose Sebastián Canós|Dec 18, 2025

accesslog

Parse Apache Accesslog

Benjamin Zulliger|Dec 17, 2025

DeviceEventsDeviceNetworkEventsDeviceProcessEvents

Suspicious MS Build Remote Thread

Bert-Jan Pals|Dec 15, 2025

DeviceEventsDeviceInfoAlertEvidence+1

Failed AV Scan On Devices With Vulnerabilities And Related Incidents

Benjamin Zulliger|Dec 15, 2025

DeviceProcessEvents

Pod Containerexec

Ali Hussein|Dec 14, 2025

DeviceFileEvents

Executable Files Program Data Folder

Bert-Jan Pals|Dec 10, 2025

DeviceProcessEventsDeviceNetworkEvents

Power Shell LOLBAS Execution With Public Network Connection

Benjamin Zulliger|Dec 9, 2025

DeviceInfo

MDE Device Active Inactive

Alex Verboon|Dec 9, 2025

DeviceInfo

MDE Device Groups

Alex Verboon|Dec 9, 2025

EmailEventsEmailUrlInfo

KQL Techniques For Email URL Redirect Hunting

Sergio Albea|Dec 8, 2025

IdentityAccountInfoIdentityInfo

MDI Identity Password Security Posture Assessment

Alex Verboon|Dec 6, 2025

OfficeActivityCloudAppEvents

MDO Auto Forwarding Mode

Alex Verboon|Dec 3, 2025

OAuthAppInfo

O Auth App Evaluation

Benjamin Zulliger|Dec 3, 2025

resources

Azure Resource Graph APIM With Basic Auth Enabled

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Account Disabled

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Group Changes

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Password Resets

Jay Kerai|Dec 2, 2025

AuditLogs

User Deleted From Entra

Jay Kerai|Dec 2, 2025

AuditLogs

Device Deleted From Entra

Jay Kerai|Dec 2, 2025

resources

Audit Logic Apps With Office365 Connections Using Resource Query

Jay Kerai|Dec 1, 2025

DeviceProcessEvents

Executables In App Data Local Roaming

Jay Kerai|Nov 27, 2025

resourcechanges

Azure Resource VM Sku Sizes Changes

Jay Kerai|Nov 27, 2025

IdentityInfo

UEBA Find Onpremise Users With Password Not Required

Jay Kerai|Nov 27, 2025

ThreatIntelIndicatorsMessageUrlInfoMessageEvents

TI URL Or Domain Hit In Teams Messages

Benjamin Zulliger|Nov 25, 2025

resourcechanges

Azure Resource VM Sku Sizes

Jay Kerai|Nov 25, 2025

DeviceEvents

MDI Automatic Windows Auditing Configuration

Alex Verboon|Nov 22, 2025

DeviceTvmSoftwareInventory

Detect Compromised Chalk Packages

Benjamin Zulliger|Nov 21, 2025

TorExitNodesHistoricDeviceNetworkEvents

IC Tor Exit Browser Hunting Based On Device Events

Sergio Albea|Nov 18, 2025

DeviceFileEvents

Mac OS Launch Agent Or Daemon Plist File Creation Or Modification

Benjamin Zulliger|Nov 18, 2025

DeviceProcessEvents

Suspicious Unsigned File Executed In User Writeable Folder

Benjamin Zulliger|Nov 13, 2025

DeviceProcessEventsDeviceImageLoadEvents

Rustdeskexecution

Ali Hussein|Nov 12, 2025

ExposureGraphNodesExposureGraphEdges

Hunt Critical Credentials On Non Cred Guard Devices

Robbe Van den Daele|Nov 11, 2025

DeviceFileEventsDeviceNetworkEvents

Data Staging File Zilla Ps FTP Winscp

Ali Hussein|Nov 11, 2025

DeviceProcessEvents

Veeam PSQL Dump

Ali Hussein|Nov 11, 2025

DeviceEvents

DNS Zone Export

Ali Hussein|Nov 10, 2025

DeviceProcessEvents

Sshtunneltoexternalhost

Ali Hussein|Nov 10, 2025

KQL Search

Our Sponsors ❤️

Delete An Intune Multi Approval Policy By User With Uncommon Or Risky Behavior

User With Uncommon Or Risky Behavior Is Deploying An Application With Intune To All Users Or All Devices

User With Uncommon Or Risky Behavior Is Deploying A Script With Intune To All Users Or All Devices

Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune

Mass Wipe Or Retire Device Action

Consent Fix Hunting Confidence On Token And Network Signals

CISAKEV Year To Date Vulnerabilities

CISAKEV Year To Date Vulnerabilities Product

CISAKEV Year To Date Vulnerabilities Release Year

CISAKEV Year To Date Vulnerabilities Edge Devices

AADSTS Errorcodes KQL

MDE Data Collection

Mshta Executions

MDE Digi Cert Global Root G2

Correlation Id Equals Tenant Id In Peculiar Password Spray

Parse Apache Accesslog

Suspicious MS Build Remote Thread

Failed AV Scan On Devices With Vulnerabilities And Related Incidents

Pod Containerexec

Executable Files Program Data Folder

Power Shell LOLBAS Execution With Public Network Connection

MDE Device Active Inactive

MDE Device Groups

KQL Techniques For Email URL Redirect Hunting

MDI Identity Password Security Posture Assessment

MDO Auto Forwarding Mode

O Auth App Evaluation

Azure Resource Graph APIM With Basic Auth Enabled

Entra Account Disabled

Entra Group Changes

Entra Password Resets

User Deleted From Entra

Device Deleted From Entra

Audit Logic Apps With Office365 Connections Using Resource Query

Executables In App Data Local Roaming

Azure Resource VM Sku Sizes Changes

UEBA Find Onpremise Users With Password Not Required

TI URL Or Domain Hit In Teams Messages

Azure Resource VM Sku Sizes

MDI Automatic Windows Auditing Configuration

Detect Compromised Chalk Packages

IC Tor Exit Browser Hunting Based On Device Events

Mac OS Launch Agent Or Daemon Plist File Creation Or Modification

Suspicious Unsigned File Executed In User Writeable Folder

Rustdeskexecution

Hunt Critical Credentials On Non Cred Guard Devices

Data Staging File Zilla Ps FTP Winscp

Veeam PSQL Dump

DNS Zone Export

Sshtunneltoexternalhost