DeviceLogonEvents
Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
IdentityInfo
Potential Entra Admin Synced Back On Premise
DeviceInfoDeviceProcessEvents
MDE Schedulted Tasks
IdentityInfoSigninLogs
Privileged Account Authentication Method Audit
DeviceProcessEvents
Linux Pedit COW Exploit Detection CVE 2026 46331
AADUserRiskEventsEntraIdSignInEventsIdentityInfo
User Risk Event Correlation With Historical Baseline
AADUserRiskEventsEntraIdSignInEventsIdentityInfo
User Risk Event Correlation With Historical Baseline And Account Age
DeviceProcessEventsDeviceRegistryEvents
Unofficial Win Get Source Added
DeviceFileEvents
Executable Files Program Data Folder
DeviceFileEvents
Executable Files Public Folder
DeviceFileEventsDeviceProcessEvents
Suspicious Oahd Activity On Mac OS
IdentityQueryEvents
Unusual LDAP Query Burst From New Or Known Device
IdentityQueryEvents
LDAP Cross Domain Enumeration
DeviceInfoDeviceNetworkEventsThreatIntelligenceIndicator
MDE Internet Facing
AgentsInfo
MDE Local AI Agents
IdentityQueryEventsIdentityLogonEvents
Correlating LDAP Reconnaissance With Kerberoasting And Sensitive Queries
DeviceProcessEvents
Mac OS Keychain Dump Via Security CLI
DeviceProcessEvents
Suspicious Tool Accessing Browser Cookies On Mac OS
DeviceTvmSecureConfigurationAssessment
Device Tvm Secure Configuration Assessment Enrichment With SCID Details
AuditLogs
30 PIM Self Activation Tier0role
ExposureGraphNodes
Windows Workstations With RDP Enabled And Allowed Connections
ExposureGraphNodes
High Risk Vulnerabilities With Exploits Detected On Onboarded Devices
ADOAuditLogs_CL
Azure Dev Ops High Volume Search Activity
IdentityLogonEvents
Masking Account Names And UP Ns For Demos
DeviceNetworkEventsDeviceImageLoadEvents
Multiple Uncommon Loaded Image Connection To Suspicious Domain
DeviceNetworkEvents
Outbound Connection To Spydisec High Confidence Malicious IP
SecurityAlertSecurityIncidentSentinelHealth+1
Sentinel Rule Tuning Queries
DeviceInfoDeviceTvmSoftwareInventory
Identify Windows Devices Missing Defender For Endpoint WSL Plugin
AADRiskyServicePrincipalsExposureGraphEdgesExposureGraphNodes+2
Workload Identity Info Xdr
AADServicePrincipalSignInLogs
21 Service Principal Anomalous IP Spread
AADNonInteractiveUserSignInLogsOfficeActivity
14 NI Auth Bulk Data Download
AADNonInteractiveUserSignInLogsAuditLogs
10 Stale Token After Password Change
DeviceNetworkEvents
Device Network Events Uncommon Process Connection To Suspicious Domain
DeviceFileEvents
Detect Shebang Code Inside Files With Unusual Extensions
DeviceFileEvents
Detect Shebang Code Inside Device Files
DeviceFileEventsEmailAttachmentInfo
Detect Shebang File Types Received Via Email
IdentityInfo
IdentityAccountInfo
ExposureGraphNodes
ExposureGraphEdges
OAuthAppInfo
Unified Identity Info Xdr
EntraIdSignInEventsSigninLogsAADNonInteractiveUserSignInLogs
CA Sign Ins With Audience Enrichment
ExposureGraphNodesGraphAPIAuditEvents
Enriched Microsoft Graph Activity
SigninLogsAADNonInteractiveUserSignInLogs
Sensitive Microsoft Graph Delegated Permission Access
DeviceProcessEventsDeviceRegistryEventsDeviceFileEvents
Rogue Planet Defender TOCTOU LPE Detection
DeviceFileEvents
Suspicious VS Code Extensions Hunting
DeviceEvents
ISO Virtual DVD ROM File Mount
DeviceFileEvents
