KQL Search

Hunt Mdi Not Installed

DeviceTvmSoftwareInventoryExposureGraphNodes
Author: Robbe Van den DaeleReleased: June 23th, 2025

Analytics Entra ID Role Assignments

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID Role Assignment

EntraIDRoleAssignments
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID B2C Settings Modified

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Analytics Unexpected Entra ID Device

_GetWatchlistAuditLogsSigninLogsAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Multiple Unexpected Entra ID Device

UnexpectedEntraIDDevice
Author: Jose Sebastián CanósReleased: June 23th, 2025

Audit Logs Entra ID Unusual Operation

AuditLogs
Author: Jose Sebastián CanósReleased: June 23th, 2025

Detecting Connections Affected By The Blocking Legacy Authentication Enforcement Expected By July 2025

AADSignInEventsBeta
Author: Sergio AlbeaReleased: June 23th, 2025

Unified Identity Info Xdr

IdentityInfo OAuthAppInfo ExposureGraphNodes ExposureGraphEdges
Author: Thomas NaunheimReleased: June 23th, 2025

Sniffing Out UNC3944 On Teams

IdentityInfoMessageEventsMessageUrlInfo
Author: Steven LimReleased: June 22th, 2025

Cloudflared Tunnel

DeviceProcessEvents
Author: C.J. MayReleased: June 20th, 2025

External Attack Surface Monitoring KQL

ExposureGraphNodesDeviceNetworkEvents
Author: Steven LimReleased: June 18th, 2025

Social Engineering Attack Detection

EmailEventsDeviceNetworkEventsRMMList
Author: Steven LimReleased: June 18th, 2025

User Account Deletion

SecurityEvent
Author: Bert-Jan PalsReleased: June 16th, 2025

Detect Changes To Connect Sync Application

AuditLogs
Author: Robbe Van den DaeleReleased: June 16th, 2025

Detect Cred Add To Connect Sync Application

AuditLogs
Author: Robbe Van den DaeleReleased: June 16th, 2025

TA4557 Drops More Eggs

DeviceEvents
Author: Steven LimReleased: June 16th, 2025

CVE 2025 33073 Detection

DeviceInfoDnsEvents
Author: Steven LimReleased: June 16th, 2025

Entra ID Enterprise Apps Deleted

AuditLogs
Author: Alex VerboonReleased: June 15th, 2025

Entra ID PIM Role Activations

AuditLogs
Author: Alex VerboonReleased: June 15th, 2025

Entra ID Disabled Userswith Priv Roles

IdentityInfo
Author: Alex VerboonReleased: June 15th, 2025

MDE Defenderpassivemode

DeviceTvmInfoGathering
Author: Alex VerboonReleased: June 15th, 2025

MDE Windows Server Client Missing Updates Summary

DeviceTvmSoftwareVulnerabilitiesDeviceInfo
Author: Alex VerboonReleased: June 15th, 2025

Discord Invite Hijacking Detection

DeviceNetworkEvents
Author: Steven LimReleased: June 15th, 2025

MDE Office365version History

DeviceTvmSoftwareInventory
Author: Alex VerboonReleased: June 14th, 2025

Suspicious O Auth Applications Used To Retrieve And Send Emails

OAuthAppInfo
Author: Steven LimReleased: June 14th, 2025

Potential Commands Executed By A Power Shellexe Renamed

DeviceProcessEvents
Author: Sergio AlbeaReleased: June 12nd, 2025

Hunt MSOL Azure AD Connect Or Entra Sync Servers

DeviceTvmSoftwareInventory
Author: Robbe Van den DaeleReleased: June 12nd, 2025

APT Stealth Falcon CVE 2025 33053 Detection

DeviceFileEventsDeviceProcessEvents
Author: Steven LimReleased: June 11st, 2025

Conditional Access Baseline Gap Detected Due Policy Change

AuditLogsMaester_CL
Author: Thomas NaunheimReleased: June 11st, 2025

Auth Methods Token Bounded Cae

SigninLogsAADNonInteractiveUserSignInLogs
Author: Thomas NaunheimReleased: June 11st, 2025

Audit User Tries To Change Password To A Non Complying Password

AuditLogs
Author: Jay KeraiReleased: June 10th, 2025

Disabled Account Attack Disruption

CloudAppEvents
Author: Bert-Jan PalsReleased: June 8th, 2025

ANYRUN Obfuscated BAT Dropper Delivers Net Support RAT Post

DeviceProcessEventsDeviceRegistryEvents
Author: Steven LimReleased: June 6th, 2025

3 Finding Sensitive Roles With CSPM Posture And Used By O Auth

WorkloadIdentityInfoXdr
Author: Thomas NaunheimReleased: June 4th, 2025

1 Correlation Between Alert And Attack Path

securityresourcesSecurityAlert
Author: Thomas NaunheimReleased: June 4th, 2025

2 Sensitive Labels In Azure Resources

securityresources
Author: Thomas NaunheimReleased: June 4th, 2025

3 EPM Insights

securityresources
Author: Thomas NaunheimReleased: June 4th, 2025

2 Adv Correlation Between Alert And Attack Path

SecurityAlert
Author: Thomas NaunheimReleased: June 4th, 2025

1 List Of Critical Azure Resources In XSPM

ExposureGraphNodesAlertEvidence
Author: Thomas NaunheimReleased: June 4th, 2025

2 Custom Graph Query On Recommendations And Target

ExposureGraphEdgesExposureGraphNodes
Author: Thomas NaunheimReleased: June 4th, 2025

3 Correlation Between CSPM And Identity Info

securityresourcesIdentityInfoauthorizationresources
Author: Thomas NaunheimReleased: June 4th, 2025

1 Overview Of Attack Paths

securityresources
Author: Thomas NaunheimReleased: June 4th, 2025

Quarantined Messages

MessagePostDeliveryEventsMessageEventsMessageUrlInfo
Author: Jose Sebastián CanósReleased: June 4th, 2025

Quarantined Emails

EmailPostDeliveryEventsEmailEvents
Author: Jose Sebastián CanósReleased: June 4th, 2025

Ottercookie Detection

DeviceFileEventsDeviceNetworkEvents
Author: Steven LimReleased: June 4th, 2025

NTL Mv2 Hash Leak Via COM Detection

DeviceLogonEventsDeviceNetworkEvents
Author: Steven LimReleased: May 31th, 2025

O Auth App Using The OD File Picker Permission

OAuthAppInfo
Author: Steven LimReleased: May 31th, 2025

One Click ANY RUN Storm 1747 KQL Scan

WeeklyOSINTEmailAttachmentInfoEmailUrlInfoDeviceFileEventsDeviceNetworkEvents
Author: Steven LimReleased: May 29th, 2025

Hunting Dragon Force With ANYRUN Threat Intelligence

WeeklyOSINTEmailAttachmentInfoDeviceFileEvents
Author: Steven LimReleased: May 29th, 2025