KQL Search

CopilotActivity

Excessive Copilot Prompt Activity

Benjamin Zulliger|Feb 26, 2026

CopilotActivity

Microsoft Copilot Access To External Resources XPIA

Benjamin Zulliger|Feb 26, 2026

CloudAppEvents

Microsoft Copilot Jailbreak Detected

Benjamin Zulliger|Feb 26, 2026

DeviceProcessEvents

Attempt To Disable Syslog Service

Benjamin Zulliger|Feb 26, 2026

DeviceProcessEvents

Attempt To Disable Auditd Service

Benjamin Zulliger|Feb 26, 2026

ADOAuditLogs_CL

Azure Dev Ops Activity From Newor Rare IP Outside Business Hours

Benjamin Zulliger|Feb 26, 2026

ADOAuditLogs_CL

Azure Dev Ops Critical Search Queries

Benjamin Zulliger|Feb 26, 2026

ADOAuditLogs_CL

Azure Dev Ops Critical Permission Modification

Benjamin Zulliger|Feb 26, 2026

LOLDriversDeviceEvents

MDE Asr Vulnerable Signed Driver Blocked

Alex Verboon|Feb 23, 2026

DeviceProcessEvents

Click Fix Lo L Bin Abuse

Benjamin Zulliger|Feb 23, 2026

DeviceProcessEvents

Click Fix Nslookup DNS Staging

Benjamin Zulliger|Feb 23, 2026

DeviceRegistryEvents

Run MRU Click Fix Detection

Benjamin Zulliger|Feb 23, 2026

SecurityIncidentSecurityAlert

Alert Efficiency

Bert-Jan Pals|Feb 22, 2026

EntraIdSignInEvents

Entra Id Sign In Events Suspicious User Agent

Jay Kerai|Feb 17, 2026

EntraIdSignInEvents

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Jay Kerai|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Windows Firewall Outbound Blocked Connections

Nathan Hutchinson|Feb 17, 2026

AuditLogs

Security Copilot Agent Deleted

Jay Kerai|Feb 17, 2026

DeviceNetworkEvents

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Nathan Hutchinson|Feb 15, 2026

EmailEventsEmailUrlInfo

Applying Shanon Entropy To Sender Domains Via Kusto

Sergio Albea|Feb 12, 2026

DeviceEvents

Windows All Firewall Inbound Block Events Last 100

Nathan Hutchinson|Feb 12, 2026

IdentityLogonEvents

Windows Detect NTLM Usage In The Environment

Nathan Hutchinson|Feb 12, 2026

DeviceEvents

Windows Inbound Firewall Blocks By Process

Nathan Hutchinson|Feb 12, 2026

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEvents+2

CVE 2026 21510 Windows Shell Security Feature Bypass

Benjamin Zulliger|Feb 11, 2026

EntraUsers

Detection Enrichment Entra User

Bert-Jan Pals|Feb 11, 2026

EntraGroupMembershipsEntraGroups

Detection Enrichment Entra Group Membership

Bert-Jan Pals|Feb 10, 2026

DeviceNetworkEvents

Device IP History

C.J. May|Feb 10, 2026

MessageEventsMessageUrlInfo

Detect Malicious Teams Message

Robbe Van den Daele|Feb 10, 2026

MessageEventsIdentityInfoMessageUrlInfo

Detect External User Sending Suspicious Link To Multiple Users

Robbe Van den Daele|Feb 10, 2026

MessageEventsIdentityInfo

Detect Possible Teams Bec Attack By High Teams Recipients

Robbe Van den Daele|Feb 10, 2026

DeviceRegistryEvents

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Benjamin Zulliger|Feb 9, 2026

DeviceFileEvents

Malicious Browser Extension Downloads Using Device File Events

Jay Kerai|Feb 8, 2026

SigninLogsAADNonInteractiveUserSignInLogs

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

Jay Kerai|Feb 5, 2026

AuditLogs

MCP Server Registered To Entra

Jay Kerai|Feb 5, 2026

StorageBlobLogs

Anonymous Retrieval Of Azure Blob Versions

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Potential Storage Enumeration Or Brute Force Attack

Fabian Bader|Feb 5, 2026

AzureActivityAuditLogs

Unauthorized Federated Credential Added To Managed Identity

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Azurekid Blackcat Security Module Activity

Fabian Bader|Feb 5, 2026

AuditLogs

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Service Principal Enumeration Of App Role Assignments

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Adds Client Secret To Target Application

Fabian Bader|Feb 5, 2026

AADServicePrincipalSignInLogs

Service Principal Sign In From New Country

Fabian Bader|Feb 5, 2026

AuditLogs

Privileged Role Assignment Outside Of PIM

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Added To Global Administrator Role

Fabian Bader|Feb 5, 2026

StorageFileLogs

Successful Azure Storage File Access From Unauthorized Geo Location

Fabian Bader|Feb 5, 2026

DeviceProcessEvents

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Jay Kerai|Feb 3, 2026

DeviceNetworkEvents

Notepad Chrysalis Backdoor Gupexe Detection

Jay Kerai|Feb 3, 2026

DeviceProcessEventsDeviceNetworkEvents

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Jay Kerai|Feb 3, 2026

KQL Search

Our Sponsors ❤️

Excessive Copilot Prompt Activity

Microsoft Copilot Access To External Resources XPIA

Microsoft Copilot Jailbreak Detected

Attempt To Disable Syslog Service

Attempt To Disable Auditd Service

Azure Dev Ops Activity From Newor Rare IP Outside Business Hours

Azure Dev Ops Critical Search Queries

Azure Dev Ops Critical Permission Modification

MDE Asr Vulnerable Signed Driver Blocked

Click Fix Lo L Bin Abuse

Click Fix Nslookup DNS Staging

Run MRU Click Fix Detection

Alert Efficiency

Entra Id Sign In Events Suspicious User Agent

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Windows Windows Firewall Outbound Blocked Connections

Security Copilot Agent Deleted

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Applying Shanon Entropy To Sender Domains Via Kusto

Windows All Firewall Inbound Block Events Last 100

Windows Detect NTLM Usage In The Environment

Windows Inbound Firewall Blocks By Process

CVE 2026 21510 Windows Shell Security Feature Bypass

Detection Enrichment Entra User

Detection Enrichment Entra Group Membership

Device IP History

Detect Malicious Teams Message

Detect External User Sending Suspicious Link To Multiple Users

Detect Possible Teams Bec Attack By High Teams Recipients

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Malicious Browser Extension Downloads Using Device File Events

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

MCP Server Registered To Entra

Anonymous Retrieval Of Azure Blob Versions

Potential Storage Enumeration Or Brute Force Attack

Unauthorized Federated Credential Added To Managed Identity

Azurekid Blackcat Security Module Activity

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Service Principal Enumeration Of App Role Assignments

Service Principal Adds Client Secret To Target Application

Service Principal Sign In From New Country

Privileged Role Assignment Outside Of PIM

Service Principal Added To Global Administrator Role

Successful Azure Storage File Access From Unauthorized Geo Location

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Notepad Chrysalis Backdoor Gupexe Detection

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation