KQL Search
Assistant
Generator
Lab
Our Sponsors
❤️
Show Advanced Filters
Table:
Select...
Author:
Select...
Keyword:
Select...
Operator:
Select...
Newsletter
Popular Queries
Statistics
Device Query
XDR Device Alerts
AlertEvidence
AlertInfo
Author:
Bert-Jan Pals
Released:
September 28th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions
DeviceProcessEvents
IdentityInfo
Author:
Sergio Albea
Released:
September 28th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Activity From Anonymous IP Addresses
AADUserRiskEvents
SecurityAlert
SigninLogs
AADNonInteractiveUserSignInLogs
Author:
Jose Sebastián Canós
Released:
September 26th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Ingestion Delays
GraphAPIAuditEvents
MicrosoftGraphActivityLogs
Author:
Bert-Jan Pals
Released:
September 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Removed Device Events
SecurityEvent
AuditLogs
Author:
Jose Sebastián Canós
Released:
September 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Microsoft Entra Threat Intelligence
AADUserRiskEvents
SecurityAlert
SigninLogs
Author:
Jose Sebastián Canós
Released:
September 18th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
New KSMBD Do S CVE 2025 38501 Can Exhaust SMB Connections Via Half Open TCP Handshakes
DeviceInfo
DeviceNetworkEvents
Author:
Sergio Albea
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Entra ID Protection Risk Events
EntraIDProtectionRiskEvents
Author:
Jose Sebastián Canós
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Analytics Entra ID Protection Risk Events
AADUserRiskEvents SecurityAlert SigninLogs AADNonInteractiveUserSignInLogs
Author:
Jose Sebastián Canós
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Risky AD FS Sign In
AADUserRiskEvents
SigninLogs
Author:
Jose Sebastián Canós
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Onboarding Status Timeline
DeviceInfo
Author:
Alex Verboon
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Aggregated Reporting
DeviceFileEvents
DeviceLogonEvents
DeviceNetworkEvents
DeviceProcessEvents
Author:
Alex Verboon
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
TH Wmic PS Encoded
DeviceProcessEvents
Author:
Alex Verboon
Released:
September 17th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Sign In Attempts Using Deprecated TLS Versions
AADSignInEventsBeta
Author:
Sergio Albea
Released:
September 16th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt Critical Credentials On Non Tpm Devices
ExposureGraphNodes
ExposureGraphEdges
Author:
Robbe Van den Daele
Released:
September 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt Critical Credentials On Devices With Non Critical Accounts
ExposureGraphNodes
ExposureGraphEdges
Author:
Robbe Van den Daele
Released:
September 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt Public Remotly Exploitable Devices With High EPSS
ExposureGraphNodes
DeviceNetworkEvents
DeviceTvmSoftwareVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
Author:
Robbe Van den Daele
Released:
September 15th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunting For Malicious Click Fix Cases From Airports
DeviceNetworkEvents
Author:
Sergio Albea
Released:
September 12nd, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Add Custom Security Attribute Definition In An Attribute Set
AADCustomSecurityAttributeAuditLogs
Author:
Jay Kerai
Released:
September 10th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
WDAC App Control Collect Data For App Control Manager
DeviceEvents
Author:
Jay Kerai
Released:
September 9th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Device Events App Locker Events
DeviceEvents
Author:
Jay Kerai
Released:
September 9th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device
SigninLogs
Author:
Jay Kerai
Released:
September 8th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Rclone Copy Process Args
DeviceProcessEvents
Author:
Jay Kerai
Released:
September 7th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Azure Function App Stopped Or Deleted
AzureActivity
Author:
Jay Kerai
Released:
September 5th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Azure Communication Services Deleted
AzureActivity
Author:
Jay Kerai
Released:
September 5th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Azure Logic App Disabled Or Deleted
AzureActivity
Author:
Jay Kerai
Released:
September 5th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
AAD Sign In Events Beta Hunting Potential Seamless SSO Usage
AADSignInEventsBeta
Author:
Jay Kerai
Released:
August 30th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Verified Threat Actor IP
AADUserRiskEvents
SecurityAlert
SigninLogs
Author:
Jose Sebastián Canós
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Suspicious API Traffic
AADUserRiskEvents
SecurityAlert
AADNonInteractiveUserSignInLogs
Author:
Jose Sebastián Canós
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Entra ID Entra Connect Sync Audit Events
SecurityEvent
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
AD Account Last Logon
IdentityInfo
IdentityLogonEvents
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Purview Entra CA Block Insider Risk
SigninLogs
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
TH Use Of Administrator Account
DeviceLogonEvents
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Azure Dev Ops Repositories
ExposureGraphNodes
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Sense Triggers Power Shell Public IP
DeviceNetworkEvents
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDE Suspicious TCP Flags
DeviceNetworkEvents
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
TH Top Level Domains
DeviceNetworkEvents
EmailUrlInfo
EmailEvents
UrlClickEvents
Author:
Alex Verboon
Released:
August 29th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Multiple Leaked Credentials
AADUserRiskEvents
SecurityAlert
Author:
Jose Sebastián Canós
Released:
August 28th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Fetch Dynamic And Manual Tags For Active Devices
DeviceInfo
Author:
Michalis Michalos
Released:
August 28th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Set Persistence Using Event Viewer Microsoft Redirection Program
DeviceRegistryEvents
Author:
Jay Kerai
Released:
August 27th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Hunt Domains With Seamless Sso Enabled
DeviceInfo
IdentityLogonEvents
Author:
Robbe Van den Daele
Released:
August 26th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Enrollment Attempt With Adcsesc1honeypot Template
SecurityEvent
Author:
Fabian Bader
Released:
August 24th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
File From Host Collected
CloudAppEvents
Author:
Bert-Jan Pals
Released:
August 24th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Detecting Onmicrosoft Domains Impacted By Email Exchange Restrictions With External Domains
EmailEvents
Author:
Sergio Albea
Released:
August 23th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDI Dormant Accounts
IdentityInfo
IdentityDirectoryEvents
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
D4IOT Connector State
iotsecurityresources
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDXDR Attack Disruption And Response
DisruptionAndResponseEvents
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
Arc Compare MDE
Resources
DeviceInfo
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
MDI Identify Service Account O Us
IdentityInfo
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X
EEG Assets Allowing Remote Access
ExposureGraphNodes
DeviceInfo
Author:
Alex Verboon
Released:
August 22th, 2025
Show Query
Show Explanation
Copy URL
Open on GitHub
Share on X