Our Sponsors ❤️
Cache Smuggle
DeviceProcessEvents
Author: Daniel CardReleased: October 14th, 2025
NTDS File Create Modify
DeviceFileEvents
Author: Ali HusseinReleased: October 13rd, 2025
Identities Bad Reputation ASN Activities
IdentityLogonEvents
Author: Sergio AlbeaReleased: October 10th, 2025
Security Event Unexpected Network Share Access In A Domain Controller
_GetWatchlistSecurityEvent
Author: Jose Sebastián CanósReleased: October 7th, 2025
Detect First Time Azure Custom Script Or Run Command
BehaviorAnalytics
Author: Robbe Van den DaeleReleased: October 6th, 2025
Detect Executable Drop Via Azure
DeviceFileEvents
Author: Robbe Van den DaeleReleased: October 6th, 2025
Detect Azure Script Or Run Command By Risky User
AzureActivityAADUserRiskEvents
Author: Robbe Van den DaeleReleased: October 6th, 2025
Detect Process Drop Via Azure Lateral Movement
DeviceFileEventsDeviceNetworkEvents
Author: Robbe Van den DaeleReleased: October 6th, 2025
MDA IP Address Type
CloudAppEvents
Author: Jay KeraiReleased: October 2nd, 2025
MDA File Download By Country
CloudAppEvents
Author: Jay KeraiReleased: October 2nd, 2025
Anomalies Anomalous Role Assignment
Anomalies
Author: Jose Sebastián CanósReleased: October 1st, 2025
XDR Device Alerts
AlertEvidenceAlertInfo
Author: Bert-Jan PalsReleased: September 28th, 2025
Detecting Potential CA Policy Bypass By Privileged Accounts Via Private Browser Sessions
DeviceProcessEventsIdentityInfo
Author: Sergio AlbeaReleased: September 28th, 2025
Multiple Activity From Anonymous IP Addresses
AADUserRiskEventsSecurityAlertSigninLogsAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: September 26th, 2025
Ingestion Delays
GraphAPIAuditEventsMicrosoftGraphActivityLogs
Author: Bert-Jan PalsReleased: September 23th, 2025
Removed Device Events
SecurityEventAuditLogs
Author: Jose Sebastián CanósReleased: September 23th, 2025
Multiple Microsoft Entra Threat Intelligence
AADUserRiskEventsSecurityAlertSigninLogs
Author: Jose Sebastián CanósReleased: September 18th, 2025
New KSMBD Do S CVE 2025 38501 Can Exhaust SMB Connections Via Half Open TCP Handshakes
DeviceInfoDeviceNetworkEvents
Author: Sergio AlbeaReleased: September 17th, 2025
Multiple Entra ID Protection Risk Events
EntraIDProtectionRiskEvents
Author: Jose Sebastián CanósReleased: September 17th, 2025
Analytics Entra ID Protection Risk Events
AADUserRiskEvents
SecurityAlert
SigninLogs
AADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: September 17th, 2025
Multiple Risky AD FS Sign In
AADUserRiskEventsSigninLogs
Author: Jose Sebastián CanósReleased: September 17th, 2025
MDE Aggregated Reporting
DeviceFileEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEvents
Author: Alex VerboonReleased: September 17th, 2025
MDE Onboarding Status Timeline
DeviceInfo
Author: Alex VerboonReleased: September 17th, 2025
TH Wmic PS Encoded
DeviceProcessEvents
Author: Alex VerboonReleased: September 17th, 2025
Sign In Attempts Using Deprecated TLS Versions
AADSignInEventsBeta
Author: Sergio AlbeaReleased: September 16th, 2025
Hunt Critical Credentials On Non Tpm Devices
ExposureGraphNodesExposureGraphEdges
Author: Robbe Van den DaeleReleased: September 15th, 2025
Hunt Critical Credentials On Devices With Non Critical Accounts
ExposureGraphNodesExposureGraphEdges
Author: Robbe Van den DaeleReleased: September 15th, 2025
Hunt Public Remotly Exploitable Devices With High EPSS
ExposureGraphNodesDeviceNetworkEventsDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB
Author: Robbe Van den DaeleReleased: September 15th, 2025
Hunting For Malicious Click Fix Cases From Airports
DeviceNetworkEvents
Author: Sergio AlbeaReleased: September 12nd, 2025
Add Custom Security Attribute Definition In An Attribute Set
AADCustomSecurityAttributeAuditLogs
Author: Jay KeraiReleased: September 10th, 2025
WDAC App Control Collect Data For App Control Manager
DeviceEvents
Author: Jay KeraiReleased: September 9th, 2025
Device Events App Locker Events
DeviceEvents
Author: Jay KeraiReleased: September 9th, 2025
Potential User Signed Into Edge Browser From Unmanaged Or Unregistered Device
SigninLogs
Author: Jay KeraiReleased: September 8th, 2025
Rclone Copy Process Args
DeviceProcessEvents
Author: Jay KeraiReleased: September 7th, 2025
Azure Function App Stopped Or Deleted
AzureActivity
Author: Jay KeraiReleased: September 5th, 2025
Azure Communication Services Deleted
AzureActivity
Author: Jay KeraiReleased: September 5th, 2025
Azure Logic App Disabled Or Deleted
AzureActivity
Author: Jay KeraiReleased: September 5th, 2025
AAD Sign In Events Beta Hunting Potential Seamless SSO Usage
AADSignInEventsBeta
Author: Jay KeraiReleased: August 30th, 2025
Multiple Verified Threat Actor IP
AADUserRiskEventsSecurityAlertSigninLogs
Author: Jose Sebastián CanósReleased: August 29th, 2025
Multiple Suspicious API Traffic
AADUserRiskEventsSecurityAlertAADNonInteractiveUserSignInLogs
Author: Jose Sebastián CanósReleased: August 29th, 2025
MDE Sense Triggers Power Shell Public IP
DeviceNetworkEvents
Author: Alex VerboonReleased: August 29th, 2025
MDE Suspicious TCP Flags
DeviceNetworkEvents
Author: Alex VerboonReleased: August 29th, 2025
TH Top Level Domains
DeviceNetworkEventsEmailUrlInfoEmailEventsUrlClickEvents
Author: Alex VerboonReleased: August 29th, 2025
TH Use Of Administrator Account
DeviceLogonEvents
Author: Alex VerboonReleased: August 29th, 2025
Purview Entra CA Block Insider Risk
SigninLogs
Author: Alex VerboonReleased: August 29th, 2025
Entra ID Entra Connect Sync Audit Events
SecurityEvent
Author: Alex VerboonReleased: August 29th, 2025
Azure Dev Ops Repositories
ExposureGraphNodes
Author: Alex VerboonReleased: August 29th, 2025
AD Account Last Logon
IdentityInfoIdentityLogonEvents
Author: Alex VerboonReleased: August 29th, 2025
Multiple Leaked Credentials
AADUserRiskEventsSecurityAlert
Author: Jose Sebastián CanósReleased: August 28th, 2025
Fetch Dynamic And Manual Tags For Active Devices
DeviceInfo
Author: Michalis MichalosReleased: August 28th, 2025