SigninLogsAADNonInteractiveUserSignInLogs
Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
SigninLogsAADNonInteractiveUserSignInLogs
27 ROPC Dormant Account
SigninLogsAADNonInteractiveUserSignInLogs
28 ROPC Impossible Travel
SigninLogsAADNonInteractiveUserSignInLogs
26 ROPC New Country Or ASN
AADServicePrincipalSignInLogs
21 Service Principal Anomalous IP Spread
AADNonInteractiveUserSignInLogs
08 Brute Force Success Chain
AADNonInteractiveUserSignInLogs
19 High Frequency Token Refresh
SigninLogsAADNonInteractiveUserSignInLogs
09 MFA Fatigue Silent Token Abuse
AADNonInteractiveUserSignInLogsOfficeActivity
14 NI Auth Bulk Data Download
AADNonInteractiveUserSignInLogs
17 Impossible Travel Multiple Countries
AADNonInteractiveUserSignInLogs
16 Password Spray Non Interactive
AADNonInteractiveUserSignInLogs
23 Brute Force Single User Targeted
AADNonInteractiveUserSignInLogsAuditLogs
10 Stale Token After Password Change
IdentityInfoSigninLogsAADNonInteractiveUserSignInLogs
25 ROPC Privileged User
AADNonInteractiveUserSignInLogs
18 Legacy Auth MFA Bypass
AADRiskyUsersAADNonInteractiveUserSignInLogs
15 NI Auth Risky Users
SigninLogsAADNonInteractiveUserSignInLogs
06 ROPC Authentication Detected
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareEvidenceBeta
High Risk Software Vulnerabilities Detected Via EPSS Scoring
DeviceNetworkEvents
Device Network Events Suspicious Process Connection To Cloudfront Domain
DeviceNetworkEvents
Device Network Events Uncommon Process Connection To Suspicious Domain
DeviceNetworkEventsDeviceImageLoadEvents
Multiple Uncommon Loaded Image Connection To Suspicious Domain
DeviceInfoDeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities+1
Vulnerability Statistics Logic App Sentinel Workbook
ExposureGraphEdges
Entra ID Privileged Role Membership Inventory Via Exposure Graph
AgentsInfoCloudAppEvents
Hunt AI Agent Activity With Agent Info
AgentsInfoExposureGraphNodesCloudAppEvents
Hunt Local AI Agent Activity With Agent Info
AgentsInfoIdentityInfo
Orphaned Security Agent Detection
IdentityInfoSigninLogs
Adminsignsinfronnewnetwork
CommonSecurityLogSigninLogsAzureActivity
Possible Malware Activity
CommonSecurityLog
Outbound Upload From Internal Host
DeviceLogonEvents
Anomalous Increase In Unique Device Logon Count Per User
IdentityInfo
Potential Entra Admin Synced Back On Premise
DeviceInfoDeviceProcessEvents
MDE Schedulted Tasks
IdentityInfoSigninLogs
Privileged Account Authentication Method Audit
DeviceProcessEvents
Linux Pedit COW Exploit Detection CVE 2026 46331
AADUserRiskEventsEntraIdSignInEventsIdentityInfo
User Risk Event Correlation With Historical Baseline
AADUserRiskEventsEntraIdSignInEventsIdentityInfo
User Risk Event Correlation With Historical Baseline And Account Age
DeviceProcessEventsDeviceRegistryEvents
Unofficial Win Get Source Added
DeviceFileEvents
Executable Files Program Data Folder
DeviceFileEvents
Executable Files Public Folder
DeviceFileEventsDeviceProcessEvents
Suspicious Oahd Activity On Mac OS
IdentityQueryEvents
Unusual LDAP Query Burst From New Or Known Device
IdentityQueryEvents
LDAP Cross Domain Enumeration
DeviceInfoDeviceNetworkEventsThreatIntelligenceIndicator
MDE Internet Facing
AgentsInfo
MDE Local AI Agents
IdentityQueryEventsIdentityLogonEvents
