Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
Our Sponsors ❤️
AuditLogs
High Privilege Takeover Agent ID Administrator Role Abuse
EntraIdSignInEvents
Session Ids From Multiple OS And User Agents Token Theft Session Hijack Detection
DeviceNetworkInfoDeviceInfo
Multiple Unusual Network Adapter Vendor
CloudAppEvents
New Tenant Allow Block List TABL Entry
The image you provided is not visibleso I cannot extract any information from it. Howeverbased on the JSON and description provided+2
Auto Close Low Priority Score Incidents
IntuneOperationalLogs
Intune Operational Logs Unexpected Device OS Type Modification
AuditLogsIntuneOperationalLogsIdentityInfo
Multiple Multiple Registered Devices By Account
EmailEventsEmailUrlInfo
Detect Potential Malicious Emails Based On Internet Message Id Dates
EmailEvents
Detect Microsoft One Time Pass Code Emails Via Internet Message Id Odspnotify Value
EmailEventsEmailUrlInfo
Detect Microsoft Shared File Messages Via Internet Message Id Odspnotify Value
AuditLogs
Audit Logs Unexpected Device OS Type Modification
IdentityDirectoryEvents
MDI AD Group Policy Password Policy
Watchlist
Sentinel Watchlists
PowerPlatformAdminActivityCloudAppEvents
Power Platform Customer Lockbox
CloudAppEventsIdentityInfo
Copilot Agents Sharing
CopilotActivity
Copilot Jailbreak Detected
OfficeActivityCloudAppEvents
Copilot Agent Approval
CloudAppEventsIdentityInfo
Copilot Agents User Access
CloudAppEvents
Copilot Agents Allowed Agent Types
SigninLogsAADNonInteractiveUserSignInLogs
Multiple Unusual User Agent From Registered Device Avoiding Conditional Access
DeviceEventsDeviceProcessEvents
Defender Red Sun Detection Named Pipe Detection Correlated To Anti Virus Detection
SigninLogs
List Of MFA Methods Used With UPN Details
IdentityInfoExposureGraphNodes
MDXDR Critical Assets
DeviceEvents
Defender Red Sun Detection Named Pipe Detection
DeviceFileEvents
Defender Red Sun Detection Tiering Engine Service Created In App Data
SigninLogsAADNonInteractiveUserSignInLogsADFSSignInLogs
Multiple Suspicious Device Code Authentication
SigninLogs
Users Authenticating With The MFA Companion App
SigninLogs
Overview Of All MFA Methods In Use
DeviceNetworkEventsDeviceFileEvents
Suspicious 0 Day Adobe Reader Process Activity
DeviceProcessEvents
Detect TLS Validation Bypass Via Power Shell
DeviceProcessEventsDeviceFileEvents
Audit Claude Behavior
DeviceProcessEvents
Git Abuse High Fidelity
DeviceProcessEvents
Execution Git Commit Amend No Verify
DeviceProcessEvents
Execution Batch Git Abuse
DeviceProcessEvents
Defense Evasion Time Change Git
DeviceProcessEvents
Defense Evasion Git Config Masquerade
DeviceProcessEvents
Correlation Git And VS Code Task Abuse
DeviceProcessEvents
Git Force Push
DeviceLogonEventsDeviceNetworkEvents
Privileged RDP Session Source Mismatch
DeviceRegistryEvents
IFEO Unauthorized Debugger Registration
DeviceProcessEvents
Mac OS Suspicious Shell Or Direct Process Execution From Browser
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB
Device TVM Secure Configuration Assessment Summary
DeviceNetworkEvents
Node C2polinder
DeviceFileEvents
Vs Code Persistence
DeviceProcessEvents
Polin Rider Node
AzureActivity
Azure Azure Activity Compromised Account
EntraIdSignInEventsSigninLogs
Successful Signin From Suspicious User Agent
DeviceProcessEvents
Local Administrator Account Added By Scheduled Task
DeviceEvents
Defender IOC Warning Bypass Or Monitor Mode MDA Bypass
DeviceInfo