Our Sponsors ❤️
EntraIdSignInEvents
Entra Id Sign In Events Suspicious User Agent
EntraIdSignInEvents
Entra Id Sign In Events Hunting Potential Seamless SSO Usage
DeviceEventsDeviceNetworkInfo
Windows Outbound Firewall Blocks Filtered By Firewall Profile
DeviceEventsDeviceNetworkInfo
Windows Outbound Firewall Blocks Filter By Device And Firewall Profile
DeviceEventsDeviceNetworkInfo
Windows Windows Firewall Outbound Blocked Connections
DeviceEventsDeviceNetworkInfo
Windows Summarise Firewall Outbound Blocks By Firewall Profile
AuditLogs
Security Copilot Agent Deleted
DeviceNetworkEvents
Windows Find Net BIOS Name Service NBNS Usage UDP 137
EmailEventsEmailUrlInfo
Applying Shanon Entropy To Sender Domains Via Kusto
DeviceEvents
Windows Inbound Firewall Blocks By Process
IdentityLogonEvents
Windows Detect NTLM Usage In The Environment
DeviceEvents
Windows All Firewall Inbound Block Events Last 100
DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEvents+2
CVE 2026 21510 Windows Shell Security Feature Bypass
EntraUsers
Detection Enrichment Entra User
EntraGroupMembershipsEntraGroups
Detection Enrichment Entra Group Membership
DeviceNetworkEvents
Device IP History
MessageEventsMessageUrlInfo
Detect Malicious Teams Message
MessageEventsIdentityInfoMessageUrlInfo
Detect External User Sending Suspicious Link To Multiple Users
MessageEventsIdentityInfo
Detect Possible Teams Bec Attack By High Teams Recipients
DeviceRegistryEvents
Image File Execution Options IFEO Or Silent Process Exit Registry Modification
DeviceFileEvents
Malicious Browser Extension Downloads Using Device File Events
SigninLogsAADNonInteractiveUserSignInLogs
Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts
AuditLogs
MCP Server Registered To Entra
AuditLogs
Service Principal Adds Client Secret To Target Application
StorageBlobLogs
Potential Storage Enumeration Or Brute Force Attack
AuditLogs
Service Principal Added To Global Administrator Role
MicrosoftGraphActivityLogs
Service Principal Enumeration Of App Role Assignments
AzureActivityAuditLogs
Unauthorized Federated Credential Added To Managed Identity
StorageBlobLogs
Anonymous Retrieval Of Azure Blob Versions
MicrosoftGraphActivityLogs
Azurekid Blackcat Security Module Activity
AuditLogs
Granting Of High Risk Privilege Escalation Permissions To Service Principal
AADServicePrincipalSignInLogs
Service Principal Sign In From New Country
AuditLogs
Privileged Role Assignment Outside Of PIM
StorageFileLogs
Successful Azure Storage File Access From Unauthorized Geo Location
DeviceProcessEvents
Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes
DeviceNetworkEvents
Notepad Chrysalis Backdoor Gupexe Detection
DeviceProcessEventsDeviceNetworkEvents
Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation
DeviceTvmInfoGatheringDeviceEvents
Windows Trigger Full Scan For Devices That Have Not Completed One
SigninLogs
Emergency Access Usage Alert
IdentityLogonEventsIdentityInfo
Auto Disable High Risk AD User
AuditLogs
Azure RBAC Elevation Via User Access Admin Toggle
DeviceInfoDeviceTvmInfoGatheringDeviceEvents
Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only
DeviceTvmInfoGatheringDeviceEvents
Windows Recent Devices Missing Full Scan
DeviceInfoDeviceNetworkEvents
Linux Server Public Egress Baseline High Fidelity
DeviceNetworkEvents
Linux Network Fanout From The Upload Process
DeviceInfoDeviceProcessEvents
Linux LO Lbin Downloads To Temporary Directories
DeviceInfoDeviceNetworkEvents
Linux Network Events Baseline Report Id Dedupe
DeviceInfoDeviceEvents
Linux Antivirus Activity
DeviceProcessEvents
Linux User Activity Leading Up To Exfiltration
DeviceInfoDeviceFileEvents