KQL Search

XDR Device Alerts

AlertEvidenceAlertInfo
Author: Bert-Jan PalsReleased: September 28th, 2025

Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions

DeviceProcessEventsIdentityInfo
Author: Sergio AlbeaReleased: September 28th, 2025

Multiple Activity From Anonymous IP Addresses

AADUserRiskEventsSecurityAlertSigninLogsAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: September 26th, 2025

Ingestion Delays

GraphAPIAuditEventsMicrosoftGraphActivityLogs
Author: Bert-Jan PalsReleased: September 23th, 2025

Removed Device Events

SecurityEventAuditLogs
Author: Jose Sebastián CanósReleased: September 23th, 2025

Multiple Microsoft Entra Threat Intelligence

AADUserRiskEventsSecurityAlertSigninLogs
Author: Jose Sebastián CanósReleased: September 18th, 2025

New KSMBD Do S CVE 2025 38501 Can Exhaust SMB Connections Via Half Open TCP Handshakes

DeviceInfoDeviceNetworkEvents
Author: Sergio AlbeaReleased: September 17th, 2025

Multiple Entra ID Protection Risk Events

EntraIDProtectionRiskEvents
Author: Jose Sebastián CanósReleased: September 17th, 2025

Analytics Entra ID Protection Risk Events

AADUserRiskEvents SecurityAlert SigninLogs AADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: September 17th, 2025

Multiple Risky AD FS Sign In

AADUserRiskEventsSigninLogs
Author: Jose Sebastián CanósReleased: September 17th, 2025

MDE Onboarding Status Timeline

DeviceInfo
Author: Alex VerboonReleased: September 17th, 2025

MDE Aggregated Reporting

DeviceFileEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEvents
Author: Alex VerboonReleased: September 17th, 2025

TH Wmic PS Encoded

DeviceProcessEvents
Author: Alex VerboonReleased: September 17th, 2025

Sign In Attempts Using Deprecated TLS Versions

AADSignInEventsBeta
Author: Sergio AlbeaReleased: September 16th, 2025

Hunt Critical Credentials On Non Tpm Devices

ExposureGraphNodesExposureGraphEdges
Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunt Critical Credentials On Devices With Non Critical Accounts

ExposureGraphNodesExposureGraphEdges
Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunt Public Remotly Exploitable Devices With High EPSS

ExposureGraphNodesDeviceNetworkEventsDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB
Author: Robbe Van den DaeleReleased: September 15th, 2025

Hunting For Malicious Click Fix Cases From Airports

DeviceNetworkEvents
Author: Sergio AlbeaReleased: September 12nd, 2025

Add Custom Security Attribute Definition In An Attribute Set

AADCustomSecurityAttributeAuditLogs
Author: Jay KeraiReleased: September 10th, 2025

WDAC App Control Collect Data For App Control Manager

DeviceEvents
Author: Jay KeraiReleased: September 9th, 2025

Device Events App Locker Events

DeviceEvents
Author: Jay KeraiReleased: September 9th, 2025

Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device

SigninLogs
Author: Jay KeraiReleased: September 8th, 2025

Rclone Copy Process Args

DeviceProcessEvents
Author: Jay KeraiReleased: September 7th, 2025

Azure Function App Stopped Or Deleted

AzureActivity
Author: Jay KeraiReleased: September 5th, 2025

Azure Communication Services Deleted

AzureActivity
Author: Jay KeraiReleased: September 5th, 2025

Azure Logic App Disabled Or Deleted

AzureActivity
Author: Jay KeraiReleased: September 5th, 2025

AAD Sign In Events Beta Hunting Potential Seamless SSO Usage

AADSignInEventsBeta
Author: Jay KeraiReleased: August 30th, 2025

Multiple Verified Threat Actor IP

AADUserRiskEventsSecurityAlertSigninLogs
Author: Jose Sebastián CanósReleased: August 29th, 2025

Multiple Suspicious API Traffic

AADUserRiskEventsSecurityAlertAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: August 29th, 2025

Entra ID Entra Connect Sync Audit Events

SecurityEvent
Author: Alex VerboonReleased: August 29th, 2025

AD Account Last Logon

IdentityInfoIdentityLogonEvents
Author: Alex VerboonReleased: August 29th, 2025

Purview Entra CA Block Insider Risk

SigninLogs
Author: Alex VerboonReleased: August 29th, 2025

TH Use Of Administrator Account

DeviceLogonEvents
Author: Alex VerboonReleased: August 29th, 2025

Azure Dev Ops Repositories

ExposureGraphNodes
Author: Alex VerboonReleased: August 29th, 2025

MDE Sense Triggers Power Shell Public IP

DeviceNetworkEvents
Author: Alex VerboonReleased: August 29th, 2025

MDE Suspicious TCP Flags

DeviceNetworkEvents
Author: Alex VerboonReleased: August 29th, 2025

TH Top Level Domains

DeviceNetworkEventsEmailUrlInfoEmailEventsUrlClickEvents
Author: Alex VerboonReleased: August 29th, 2025

Multiple Leaked Credentials

AADUserRiskEventsSecurityAlert
Author: Jose Sebastián CanósReleased: August 28th, 2025

Fetch Dynamic And Manual Tags For Active Devices

DeviceInfo
Author: Michalis MichalosReleased: August 28th, 2025

Set Persistence Using Event Viewer Microsoft Redirection Program

DeviceRegistryEvents
Author: Jay KeraiReleased: August 27th, 2025

Hunt Domains With Seamless Sso Enabled

DeviceInfoIdentityLogonEvents
Author: Robbe Van den DaeleReleased: August 26th, 2025

Enrollment Attempt With Adcsesc1honeypot Template

SecurityEvent
Author: Fabian BaderReleased: August 24th, 2025

File From Host Collected

CloudAppEvents
Author: Bert-Jan PalsReleased: August 24th, 2025

Detecting Onmicrosoft Domains Impacted By Email Exchange Restrictions With External Domains

EmailEvents
Author: Sergio AlbeaReleased: August 23th, 2025

MDI Dormant Accounts

IdentityInfoIdentityDirectoryEvents
Author: Alex VerboonReleased: August 22th, 2025

D4IOT Connector State

iotsecurityresources
Author: Alex VerboonReleased: August 22th, 2025

MDXDR Attack Disruption And Response

DisruptionAndResponseEvents
Author: Alex VerboonReleased: August 22th, 2025

Arc Compare MDE

ResourcesDeviceInfo
Author: Alex VerboonReleased: August 22th, 2025

MDI Identify Service Account O Us

IdentityInfo
Author: Alex VerboonReleased: August 22th, 2025

EEG Assets Allowing Remote Access

ExposureGraphNodesDeviceInfo
Author: Alex VerboonReleased: August 22th, 2025