KQL Search

DeviceTvmCertificateInfoDeviceInfoDeviceTvmSoftwareVulnerabilities

MDE Digi Cert Global Root G2

Alex Verboon|Dec 19, 2025

SigninLogs

Correlation Id Equals Tenant Id In Peculiar Password Spray

Jose Sebastián Canós|Dec 18, 2025

DeviceEventsDeviceNetworkEventsDeviceProcessEvents

Suspicious MS Build Remote Thread

Bert-Jan Pals|Dec 15, 2025

DeviceProcessEvents

Pod Containerexec

Ali Hussein|Dec 14, 2025

DeviceFileEvents

Executable Files Program Data Folder

Bert-Jan Pals|Dec 10, 2025

DeviceInfo

MDE Device Groups

Alex Verboon|Dec 9, 2025

DeviceInfo

MDE Device Active Inactive

Alex Verboon|Dec 9, 2025

EmailEventsEmailUrlInfo

KQL Techniques For Email URL Redirect Hunting

Sergio Albea|Dec 8, 2025

IdentityAccountInfoIdentityInfo

MDI Identity Password Security Posture Assessment

Alex Verboon|Dec 6, 2025

OfficeActivityCloudAppEvents

MDO Auto Forwarding Mode

Alex Verboon|Dec 3, 2025

resources

Azure Resource Graph APIM With Basic Auth Enabled

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Account Disabled

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Group Changes

Jay Kerai|Dec 2, 2025

AuditLogs

Entra Password Resets

Jay Kerai|Dec 2, 2025

AuditLogs

User Deleted From Entra

Jay Kerai|Dec 2, 2025

AuditLogs

Device Deleted From Entra

Jay Kerai|Dec 2, 2025

resources

Audit Logic Apps With Office365 Connections Using Resource Query

Jay Kerai|Dec 1, 2025

DeviceProcessEvents

Executables In App Data Local Roaming

Jay Kerai|Nov 27, 2025

resourcechanges

Azure Resource VM Sku Sizes Changes

Jay Kerai|Nov 27, 2025

IdentityInfo

UEBA Find Onpremise Users With Password Not Required

Jay Kerai|Nov 27, 2025

resourcechanges

Azure Resource VM Sku Sizes

Jay Kerai|Nov 25, 2025

DeviceEvents

MDI Automatic Windows Auditing Configuration

Alex Verboon|Nov 22, 2025

TorExitNodesHistoricDeviceNetworkEvents

IC Tor Exit Browser Hunting Based On Device Events

Sergio Albea|Nov 18, 2025

DeviceProcessEventsDeviceImageLoadEvents

Rustdeskexecution

Ali Hussein|Nov 12, 2025

ExposureGraphNodesExposureGraphEdges

Hunt Critical Credentials On Non Cred Guard Devices

Robbe Van den Daele|Nov 11, 2025

DeviceFileEventsDeviceNetworkEvents

Data Staging File Zilla Ps FTP Winscp

Ali Hussein|Nov 11, 2025

DeviceProcessEvents

Veeam PSQL Dump

Ali Hussein|Nov 11, 2025

DeviceEvents

DNS Zone Export

Ali Hussein|Nov 10, 2025

DeviceProcessEvents

Sshtunneltoexternalhost

Ali Hussein|Nov 10, 2025

DeviceProcessEvents

NTD Sdumpwbadmin

Ali Hussein|Nov 10, 2025

DeviceProcessEvents

Bumblee Bee Initiailaccess

Ali Hussein|Nov 10, 2025

DeviceProcessEvents

TH Obfuscated Or Encoded Commandline

Alex Verboon|Nov 9, 2025

DeviceInfoDeviceNetworkInfoDeviceNetworkEvents

LM Internal Threat Hunting Over Routers Devices

Sergio Albea|Nov 9, 2025

DeviceNetworkEvents

Detecting Abuse Of Sync Thing Tool To Steal Data

Sergio Albea|Nov 6, 2025

DeviceImageLoadEventsDeviceEventsDeviceNetworkEvents

Sliver C2beacon Loaded

Bert-Jan Pals|Nov 6, 2025

AlertEvidence

NRT Auto IR High Impact Alert

Bert-Jan Pals|Nov 4, 2025

SigninLogs

Entra Identify And Map Authentication Context Usage

Jay Kerai|Nov 3, 2025

AuditLogs

Access Review On Role Assignable Group Auto Deleted

Jay Kerai|Nov 2, 2025

AlertEvidenceAlertInfo

XDR Upn Alerts

Bert-Jan Pals|Nov 1, 2025

DeviceRegistryEvents

Detecting Modification Of Windows Security Audit Policy Auditpolexe

Sergio Albea|Oct 29, 2025

DeviceProcessEvents

Detecting Execution Of Windows Security Audit Policy Auditpolexe

Sergio Albea|Oct 29, 2025

IdentityLogonEventsDeviceNetworkInfoDeviceInfo

Detect Suspicious Spn Logon From Workstation

Robbe Van den Daele|Oct 24, 2025

DeviceNetworkEvents

Detect Dump Guard Ntlm Challenge

Robbe Van den Daele|Oct 24, 2025

OfficeActivity

Third Party Phishing Report Malfunction

Jose Sebastián Canós|Oct 21, 2025

AuditLogs

Audit When PIM Fails To Remove An Eligible Member From Role

Jay Kerai|Oct 19, 2025

EmailAttachmentInfoDeviceFileEventsDeviceEvents

Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware

Sergio Albea|Oct 16, 2025

DeviceFileEvents

Identifying File Exfiltration Via RDP Sessions

Sergio Albea|Oct 15, 2025

DeviceProcessEvents

Cache Smuggle

Daniel Card|Oct 14, 2025

DeviceFileEvents

NTDS File Create Modify

Ali Hussein|Oct 13, 2025

IdentityLogonEvents

Identities Bad Reputation ASN Activities

Sergio Albea|Oct 10, 2025

Our Sponsors ❤️

MDE Digi Cert Global Root G2

Correlation Id Equals Tenant Id In Peculiar Password Spray

Suspicious MS Build Remote Thread

Pod Containerexec

Executable Files Program Data Folder

MDE Device Groups

MDE Device Active Inactive

KQL Techniques For Email URL Redirect Hunting

MDI Identity Password Security Posture Assessment

MDO Auto Forwarding Mode

Azure Resource Graph APIM With Basic Auth Enabled

Entra Account Disabled

Entra Group Changes

Entra Password Resets

User Deleted From Entra

Device Deleted From Entra

Audit Logic Apps With Office365 Connections Using Resource Query

Executables In App Data Local Roaming

Azure Resource VM Sku Sizes Changes

UEBA Find Onpremise Users With Password Not Required

Azure Resource VM Sku Sizes

MDI Automatic Windows Auditing Configuration

IC Tor Exit Browser Hunting Based On Device Events

Rustdeskexecution

Hunt Critical Credentials On Non Cred Guard Devices

Data Staging File Zilla Ps FTP Winscp

Veeam PSQL Dump

DNS Zone Export

Sshtunneltoexternalhost

NTD Sdumpwbadmin

Bumblee Bee Initiailaccess

TH Obfuscated Or Encoded Commandline

LM Internal Threat Hunting Over Routers Devices

Detecting Abuse Of Sync Thing Tool To Steal Data

Sliver C2beacon Loaded

NRT Auto IR High Impact Alert

Entra Identify And Map Authentication Context Usage

Access Review On Role Assignable Group Auto Deleted

XDR Upn Alerts

Detecting Modification Of Windows Security Audit Policy Auditpolexe

Detecting Execution Of Windows Security Audit Policy Auditpolexe

Detect Suspicious Spn Logon From Workstation

Detect Dump Guard Ntlm Challenge

Third Party Phishing Report Malfunction

Audit When PIM Fails To Remove An Eligible Member From Role

Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware

Identifying File Exfiltration Via RDP Sessions

Cache Smuggle

NTDS File Create Modify

Identities Bad Reputation ASN Activities