EmailPostDeliveryEvents
Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
EmailEventsUrlClickEvents
MDO 16 Campaign Exposure Delivered Clicked
EmailAttachmentInfoEmailEvents
MDO 04 Dangerous File Types Delivered
EmailEventsUrlClickEvents
MDO 06 Users Clicked Confirmed Malicious
CampaignInfo
MDO 15 Campaign View Campaign Info
EmailEvents
MDO 01 Malicious Email Delivered To Inbox
EmailEvents
MDO 07 Email Auth Failures Spoofing
EmailEventsUrlClickEventsCloudAppEvents
MDO 29 Kill Chain Email Click Identity Cloud
FileMaliciousContentInfo
MDO 22 Malicious Files Share Point One Drive
UrlClickEventsCloudAppEvents
MDO 23 Mass Download After Phishing
UrlClickEventsCloudAppEvents
MDO 25 Suspicious Inbox Rule After Click
EmailAttachmentInfo
MDO 03 Confirmed Malware Attachments
EmailEvents
MDO 13 Compromised Internal Sender
EmailEventsEmailPostDeliveryEvents
MDO 11 Exposure Window Delivery To Remediation
EmailAttachmentInfoEmailEvents
MDO 12 Quishing QR Phishing Images
UrlClickEvents
MDO 20 Teams Safe Links Click Through
EmailUrlInfo
MDO 09 Lookalike Typosquat Domains
EmailEvents
MDO 02 Phishing Campaign Clustering
UrlClickEvents
MDO 05 Safe Links Click Through To Blocked URL
EmailEvents
MDO 08 BEC Display Name Impersonation
UrlClickEventsCloudAppEvents
MDO AR 04 Inbox Rule After Click
EmailEvents
MDO AR 02 BEC Display Name Impersonation
UrlClickEvents
MDO AR 01 Safe Links Click Through
CloudAppEvents
MDO AR 05 Illicit O Auth Consent
EmailEvents
MDO AR 03 Compromised Internal Sender
SigninLogsAADNonInteractiveUserSignInLogs
26 ROPC New Country Or ASN
SigninLogsAADNonInteractiveUserSignInLogs
28 ROPC Impossible Travel
SigninLogsAADNonInteractiveUserSignInLogs
27 ROPC Dormant Account
SigninLogsAADNonInteractiveUserSignInLogs
24 ROPC Credential Stuffing
AADNonInteractiveUserSignInLogs
17 Impossible Travel Multiple Countries
AADNonInteractiveUserSignInLogs
16 Password Spray Non Interactive
AADNonInteractiveUserSignInLogs
08 Brute Force Success Chain
AADServicePrincipalSignInLogs
21 Service Principal Anomalous IP Spread
AADRiskyUsersAADNonInteractiveUserSignInLogs
15 NI Auth Risky Users
AADNonInteractiveUserSignInLogsOfficeActivity
14 NI Auth Bulk Data Download
AADNonInteractiveUserSignInLogsAuditLogs
10 Stale Token After Password Change
AADNonInteractiveUserSignInLogs
18 Legacy Auth MFA Bypass
SigninLogsAADNonInteractiveUserSignInLogs
06 ROPC Authentication Detected
AADNonInteractiveUserSignInLogs
19 High Frequency Token Refresh
SigninLogsAADNonInteractiveUserSignInLogs
09 MFA Fatigue Silent Token Abuse
AADNonInteractiveUserSignInLogs
23 Brute Force Single User Targeted
IdentityInfoSigninLogsAADNonInteractiveUserSignInLogs
25 ROPC Privileged User
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareEvidenceBeta
High Risk Software Vulnerabilities Detected Via EPSS Scoring
DeviceNetworkEvents
Device Network Events Suspicious Process Connection To Cloudfront Domain
DeviceNetworkEvents
Device Network Events Uncommon Process Connection To Suspicious Domain
DeviceNetworkEventsDeviceImageLoadEvents
Multiple Uncommon Loaded Image Connection To Suspicious Domain
DeviceInfoDeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities+1
