KQL Search
Assistant
Generator
Lab
Our Sponsors
❤️
Show Advanced Filters
Table:
Select...
Author:
Select...
Keyword:
Select...
Operator:
Select...
Newsletter
Popular Queries
Statistics
Device Query
MDE Device Registry Events Tampering To Device Tag
DeviceRegistryEvents
Author:
Jay Kerai
Released:
July 3rd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Entra Sign Ins To Legacy Azure Active Directory Powershell
SigninLogs
Author:
Jay Kerai
Released:
July 3rd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detect The Removal Of Evidence On Executed Programs
DeviceProcessEvents
Author:
Sergio Albea
Released:
July 2nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detect Bcedit Commands Related To Boot Configuration
DeviceProcessEvents
Author:
Sergio Albea
Released:
July 2nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Suspicious Browser Child Process
DeviceProcessEvents
Author:
Bert-Jan Pals
Released:
July 2nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Audit Logs Azure RBAC Elevated Access Operation
AuditLogs
Author:
Jose Sebastián Canós
Released:
June 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Identify Microsoft Sentinel Changes From Users Not Defined Within Approved User Groups
ExposureGraphEdges
IdentityInfo
SentinelAudit
Author:
Michalis Michalos
Released:
June 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Identify Activities In Log Analytics Workspace Resource Locks
AzureActivity
Author:
Michalis Michalos
Released:
June 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Identify Log Analytics Contributor And Data Purger Role Assignment
AzureActivity
Author:
Michalis Michalos
Released:
June 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Monitor For Analytics Editing In Microsoft Sentinel
SentinelAudit
Author:
Michalis Michalos
Released:
June 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Ca Bypass First Party Apps
AADSignInEventsBeta
SigninLogs
AADNonInteractiveUserSignInLogs
Author:
Thomas Naunheim
Released:
June 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
EEG High Privilege Identities Across Subscriptions
ExposureGraphEdges
ExposureGraphNodes
Author:
Alex Verboon
Released:
June 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
EEG Trace Lateral Movement
ExposureGraphNodes
ExposureGraphEdges
Author:
Alex Verboon
Released:
June 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDI Sensor Deleted
CloudAppEvents
Author:
Bert-Jan Pals
Released:
June 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detect Anomalous External O Auth App Activity Using Actor Info String
CloudAppEvents
OAuthAppInfo
Author:
Steven Lim
Released:
June 28th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hackers Exploit Cloudflare Tunnels To Infect Windows Systems With Python Malware
WeeklyOSINT
EmailAttachmentInfo
EmailUrlInfo
DeviceFileEvents
DeviceNetworkEvents
Author:
Steven Lim
Released:
June 27th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Analytics App Consent Assignment
AuditLogs
Author:
Jose Sebastián Canós
Released:
June 27th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Direct Send Abuse Detection
DeviceEvents
Author:
Steven Lim
Released:
June 26th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detecting Text And CSV Data Dumps Via Command Line
DeviceEvents
Author:
Sergio Albea
Released:
June 26th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Suspicious CLI Obfuscation
DeviceProcessEvents
Author:
Steven Lim
Released:
June 25th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Suspicious MSHTA Usage
DeviceProcessEvents
Author:
Steven Lim
Released:
June 24th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
File Fix Detection
DeviceProcessEvents
Author:
Steven Lim
Released:
June 24th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt Mdi Not Installed
DeviceTvmSoftwareInventory
ExposureGraphNodes
Author:
Robbe Van den Daele
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Analytics Entra ID Role Assignments
AuditLogs
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Audit Logs Entra ID Role Assignment
EntraIDRoleAssignments
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Audit Logs Entra ID B2C Settings Modified
AuditLogs
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Analytics Unexpected Entra ID Device
_GetWatchlist
AuditLogs
SigninLogs
AADNonInteractiveUserSignInLogs
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Unexpected Entra ID Device
UnexpectedEntraIDDevice
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Audit Logs Entra ID Unusual Operation
AuditLogs
Author:
Jose Sebastián Canós
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detecting Connections Affected By The Blocking Legacy Authentication Enforcement Expected By July 2025
AADSignInEventsBeta
Author:
Sergio Albea
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Unified Identity Info Xdr
IdentityInfo OAuthAppInfo ExposureGraphNodes ExposureGraphEdges
Author:
Thomas Naunheim
Released:
June 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Sniffing Out UNC3944 On Teams
IdentityInfo
MessageEvents
MessageUrlInfo
Author:
Steven Lim
Released:
June 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Cloudflared Tunnel
DeviceProcessEvents
Author:
C.J. May
Released:
June 20th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
External Attack Surface Monitoring KQL
ExposureGraphNodes
DeviceNetworkEvents
Author:
Steven Lim
Released:
June 18th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Social Engineering Attack Detection
EmailEvents
DeviceNetworkEvents
RMMList
Author:
Steven Lim
Released:
June 18th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
User Account Deletion
SecurityEvent
Author:
Bert-Jan Pals
Released:
June 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detect Cred Add To Connect Sync Application
AuditLogs
Author:
Robbe Van den Daele
Released:
June 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detect Changes To Connect Sync Application
AuditLogs
Author:
Robbe Van den Daele
Released:
June 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
TA4557 Drops More Eggs
DeviceEvents
Author:
Steven Lim
Released:
June 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
CVE 2025 33073 Detection
DeviceInfo
DnsEvents
Author:
Steven Lim
Released:
June 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Entra ID PIM Role Activations
AuditLogs
Author:
Alex Verboon
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Entra ID Disabled Userswith Priv Roles
IdentityInfo
Author:
Alex Verboon
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Defenderpassivemode
DeviceTvmInfoGathering
Author:
Alex Verboon
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Entra ID Enterprise Apps Deleted
AuditLogs
Author:
Alex Verboon
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Windows Server Client Missing Updates Summary
DeviceTvmSoftwareVulnerabilities
DeviceInfo
Author:
Alex Verboon
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Discord Invite Hijacking Detection
DeviceNetworkEvents
Author:
Steven Lim
Released:
June 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Office365version History
DeviceTvmSoftwareInventory
Author:
Alex Verboon
Released:
June 14th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Suspicious O Auth Applications Used To Retrieve And Send Emails
OAuthAppInfo
Author:
Steven Lim
Released:
June 14th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Potential Commands Executed By A Power Shellexe Renamed
DeviceProcessEvents
Author:
Sergio Albea
Released:
June 12nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt MSOL Azure AD Connect Or Entra Sync Servers
DeviceTvmSoftwareInventory
Author:
Robbe Van den Daele
Released:
June 12nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X