KQL Search

Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor

AI ToolsGenerate & analyzeDevice QueryIntune queries
News Device
DeviceProcessEvents

Git Abuse High Fidelity

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Execution Git Commit Amend No Verify

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Execution Batch Git Abuse

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Defense Evasion Time Change Git

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Defense Evasion Git Config Masquerade

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Correlation Git And VS Code Task Abuse

Ali Hussein|Apr 1, 2026
DeviceProcessEvents

Git Force Push

Ali Hussein|Apr 1, 2026
DeviceLogonEventsDeviceNetworkEvents

Privileged RDP Session Source Mismatch

Benjamin Zulliger|Mar 31, 2026
DeviceRegistryEvents

IFEO Unauthorized Debugger Registration

Benjamin Zulliger|Mar 31, 2026
DeviceProcessEvents

Mac OS Suspicious Shell Or Direct Process Execution From Browser

Benjamin Zulliger|Mar 30, 2026
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Device TVM Secure Configuration Assessment Summary

Benjamin Zulliger|Mar 30, 2026
DeviceNetworkEvents

Node C2polinder

Ali Hussein|Mar 29, 2026
DeviceFileEvents

Vs Code Persistence

Ali Hussein|Mar 29, 2026
DeviceProcessEvents

Polin Rider Node

Ali Hussein|Mar 29, 2026
AzureActivity

Azure Azure Activity Compromised Account

Bert-Jan Pals|Mar 23, 2026
EntraIdSignInEventsSigninLogs

Successful Signin From Suspicious User Agent

Bert-Jan Pals|Mar 23, 2026
DeviceProcessEvents

Local Administrator Account Added By Scheduled Task

Benjamin Zulliger|Mar 23, 2026
DeviceEvents

Defender IOC Warning Bypass Or Monitor Mode MDA Bypass

Jay Kerai|Mar 19, 2026
DeviceInfo

List Devices Array

Nathan Hutchinson|Mar 18, 2026
SecurityEvent

Security Event Unusual User Account Authentication

Jose Sebastián Canós|Mar 18, 2026
EmailAttachmentInfoEmailEvents

IC Catching Emojis Into Email Attachment Files Names

Sergio Albea|Mar 17, 2026
DeviceFileEvents

IC Catching Emojis Into File Names

Sergio Albea|Mar 17, 2026
EmailEventsUrlClickEvents

IC Catching Emojis On Email Subjects

Sergio Albea|Mar 17, 2026
FileMaliciousContentInfo

MDO File Malicious Content Info

Alex Verboon|Mar 16, 2026
SentinelHealth

Sentinel Health Scheduled Analytics Rule Runs Anomaly

Jose Sebastián Canós|Mar 12, 2026
DeviceProcessEvents

Advanced Multi Stage Windows Enumeration Post Exploitation Detector

Benjamin Zulliger|Mar 10, 2026
DeviceNetworkEvents

Potential Beaconing Activity

Bert-Jan Pals|Mar 9, 2026
DeviceProcessEvents

Advanced Multi Stage Linux Enumeration Post Exploitation Detector

Benjamin Zulliger|Mar 9, 2026
DeviceEvents

Process Primary Token Elevated To Se Debug Priv

Bert-Jan Pals|Mar 8, 2026
DeviceEvents

Scheduled Tasks From App Data Created Or Updated

Bert-Jan Pals|Mar 7, 2026
DeviceProcessEventsDeviceEvents

Defender Exclusion Events

Bert-Jan Pals|Mar 7, 2026
DeviceEvents

Rare Lnk File Created On Desktop

Bert-Jan Pals|Mar 7, 2026
AuditLogsAADSignInEventsBeta

Detection Of High Risk Sign Ins From New Or Uncommon I Ps With User Agent Or OS Changes

Benjamin Zulliger|Mar 3, 2026
DeviceNetworkEvents

Monitoring Explorer Initiated External Traffic

Sergio Albea|Mar 1, 2026
CopilotActivity

Excessive Copilot Prompt Activity

Benjamin Zulliger|Feb 26, 2026
CopilotActivity

Microsoft Copilot Access To External Resources XPIA

Benjamin Zulliger|Feb 26, 2026
CloudAppEvents

Microsoft Copilot Jailbreak Detected

Benjamin Zulliger|Feb 26, 2026
DeviceProcessEvents

Attempt To Disable Syslog Service

Benjamin Zulliger|Feb 26, 2026
DeviceProcessEvents

Attempt To Disable Auditd Service

Benjamin Zulliger|Feb 26, 2026
ADOAuditLogs_CL

Azure Dev Ops Activity From Newor Rare IP Outside Business Hours

Benjamin Zulliger|Feb 26, 2026
ADOAuditLogs_CL

Azure Dev Ops Critical Search Queries

Benjamin Zulliger|Feb 26, 2026
ADOAuditLogs_CL

Azure Dev Ops Critical Permission Modification

Benjamin Zulliger|Feb 26, 2026
LOLDriversDeviceEvents

MDE Asr Vulnerable Signed Driver Blocked

Alex Verboon|Feb 23, 2026
DeviceProcessEvents

Click Fix Lo L Bin Abuse

Benjamin Zulliger|Feb 23, 2026
DeviceProcessEvents

Click Fix Nslookup DNS Staging

Benjamin Zulliger|Feb 23, 2026
DeviceRegistryEvents

Run MRU Click Fix Detection

Benjamin Zulliger|Feb 23, 2026
SecurityIncidentSecurityAlert

Alert Efficiency

Bert-Jan Pals|Feb 22, 2026
EntraIdSignInEvents

Entra Id Sign In Events Suspicious User Agent

Jay Kerai|Feb 17, 2026
EntraIdSignInEvents

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Jay Kerai|Feb 17, 2026
DeviceEventsDeviceNetworkInfo

Windows Windows Firewall Outbound Blocked Connections

Nathan Hutchinson|Feb 17, 2026