KQL Search

MDE Device Registry Events Tampering To Device Tag

DeviceRegistryEvents
Author: Jay KeraiReleased: July 3rd, 2025

Entra Sign Ins To Legacy Azure Active Directory Powershell

SigninLogs
Author: Jay KeraiReleased: July 3rd, 2025

Detect The Removal Of Evidence On Executed Programs

DeviceProcessEvents
Author: Sergio AlbeaReleased: July 2nd, 2025

Detect Bcedit Commands Related To Boot Configuration

DeviceProcessEvents
Author: Sergio AlbeaReleased: July 2nd, 2025

Suspicious Browser Child Process

DeviceProcessEvents
Author: Bert-Jan PalsReleased: July 2nd, 2025

Audit Logs Azure RBAC Elevated Access Operation

AuditLogs
Author: Jose Sebastián CanósReleased: June 30th, 2025

Identify Microsoft Sentinel Changes From Users Not Defined Within Approved User Groups

ExposureGraphEdgesIdentityInfoSentinelAudit
Author: Michalis MichalosReleased: June 30th, 2025

Identify Activities In Log Analytics Workspace Resource Locks

AzureActivity
Author: Michalis MichalosReleased: June 30th, 2025

Identify Log Analytics Contributor And Data Purger Role Assignment

AzureActivity
Author: Michalis MichalosReleased: June 30th, 2025

Monitor For Analytics Editing In Microsoft Sentinel

SentinelAudit
Author: Michalis MichalosReleased: June 30th, 2025

Ca Bypass First Party Apps

AADSignInEventsBetaSigninLogsAADNonInteractiveUserSignInLogs
Author: Thomas NaunheimReleased: June 29th, 2025

EEG High Privilege Identities Across Subscriptions

ExposureGraphEdgesExposureGraphNodes
Author: Alex VerboonReleased: June 29th, 2025

EEG Trace Lateral Movement

ExposureGraphNodesExposureGraphEdges
Author: Alex VerboonReleased: June 29th, 2025

MDI Sensor Deleted

CloudAppEvents
Author: Bert-Jan PalsReleased: June 29th, 2025

Detect Anomalous External O Auth App Activity Using Actor Info String

CloudAppEventsOAuthAppInfo
Author: Steven LimReleased: June 28th, 2025

Hackers Exploit Cloudflare Tunnels To Infect Windows Systems With Python Malware

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents
Author: Steven LimReleased: June 27th, 2025

Analytics App Consent Assignment

AuditLogs
Author: Jose Sebastián CanósReleased: June 27th, 2025

Direct Send Abuse Detection

DeviceEvents
Author: Steven LimReleased: June 26th, 2025

Detecting Text And CSV Data Dumps Via Command Line

DeviceEvents
Author: Sergio AlbeaReleased: June 26th, 2025

Suspicious CLI Obfuscation

DeviceProcessEvents
Author: Steven LimReleased: June 25th, 2025

Suspicious MSHTA Usage

DeviceProcessEvents
Author: Steven LimReleased: June 24th, 2025

File Fix Detection

DeviceProcessEvents
Author: Steven LimReleased: June 24th, 2025

Hunt Mdi Not Installed

DeviceTvmSoftwareInventoryExposureGraphNodes
Author: Robbe Van den DaeleReleased: June 23th, 2025

Analytics Entra ID Role Assignments

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID Role Assignment

EntraIDRoleAssignments
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID B2C Settings Modified

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Analytics Unexpected Entra ID Device

_GetWatchlistAuditLogsSigninLogsAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Multiple Unexpected Entra ID Device

UnexpectedEntraIDDevice
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID Unusual Operation

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Detecting Connections Affected By The Blocking Legacy Authentication Enforcement Expected By July 2025

AADSignInEventsBeta
Author: Sergio AlbeaReleased: June 23th, 2025

Unified Identity Info Xdr

IdentityInfo OAuthAppInfo ExposureGraphNodes ExposureGraphEdges
Author: Thomas NaunheimReleased: June 23th, 2025

Sniffing Out UNC3944 On Teams

IdentityInfoMessageEventsMessageUrlInfo
Author: Steven LimReleased: June 22th, 2025

Cloudflared Tunnel

DeviceProcessEvents
Author: C.J. MayReleased: June 20th, 2025

External Attack Surface Monitoring KQL

ExposureGraphNodesDeviceNetworkEvents
Author: Steven LimReleased: June 18th, 2025

Social Engineering Attack Detection

EmailEventsDeviceNetworkEventsRMMList
Author: Steven LimReleased: June 18th, 2025

User Account Deletion

SecurityEvent
Author: Bert-Jan PalsReleased: June 16th, 2025

Detect Cred Add To Connect Sync Application

AuditLogs
Author: Robbe Van den DaeleReleased: June 16th, 2025

Detect Changes To Connect Sync Application

AuditLogs
Author: Robbe Van den DaeleReleased: June 16th, 2025

TA4557 Drops More Eggs

DeviceEvents
Author: Steven LimReleased: June 16th, 2025

CVE 2025 33073 Detection

DeviceInfoDnsEvents
Author: Steven LimReleased: June 16th, 2025

Entra ID PIM Role Activations

AuditLogs
Author: Alex VerboonReleased: June 15th, 2025

Entra ID Disabled Userswith Priv Roles

IdentityInfo
Author: Alex VerboonReleased: June 15th, 2025

MDE Defenderpassivemode

DeviceTvmInfoGathering
Author: Alex VerboonReleased: June 15th, 2025

Entra ID Enterprise Apps Deleted

AuditLogs
Author: Alex VerboonReleased: June 15th, 2025

MDE Windows Server Client Missing Updates Summary

DeviceTvmSoftwareVulnerabilitiesDeviceInfo
Author: Alex VerboonReleased: June 15th, 2025

Discord Invite Hijacking Detection

DeviceNetworkEvents
Author: Steven LimReleased: June 15th, 2025

MDE Office365version History

DeviceTvmSoftwareInventory
Author: Alex VerboonReleased: June 14th, 2025

Suspicious O Auth Applications Used To Retrieve And Send Emails

OAuthAppInfo
Author: Steven LimReleased: June 14th, 2025

Potential Commands Executed By A Power Shellexe Renamed

DeviceProcessEvents
Author: Sergio AlbeaReleased: June 12nd, 2025

Hunt MSOL Azure AD Connect Or Entra Sync Servers

DeviceTvmSoftwareInventory
Author: Robbe Van den DaeleReleased: June 12nd, 2025