KQL Search

AuditLogs

MCP Server Registered To Entra

Jay Kerai|Feb 5, 2026

StorageBlobLogs

Anonymous Retrieval Of Azure Blob Versions

Fabian Bader|Feb 5, 2026

AzureActivityAuditLogs

Unauthorized Federated Credential Added To Managed Identity

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Adds Client Secret To Target Application

Fabian Bader|Feb 5, 2026

StorageFileLogs

Successful Azure Storage File Access From Unauthorized Geo Location

Fabian Bader|Feb 5, 2026

AuditLogs

Privileged Role Assignment Outside Of PIM

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Added To Global Administrator Role

Fabian Bader|Feb 5, 2026

AuditLogs

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Potential Storage Enumeration Or Brute Force Attack

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Azurekid Blackcat Security Module Activity

Fabian Bader|Feb 5, 2026

AADServicePrincipalSignInLogs

Service Principal Sign In From New Country

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Service Principal Enumeration Of App Role Assignments

Fabian Bader|Feb 5, 2026

DeviceProcessEvents

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Jay Kerai|Feb 3, 2026

DeviceNetworkEvents

Notepad Chrysalis Backdoor Gupexe Detection

Jay Kerai|Feb 3, 2026

DeviceProcessEventsDeviceNetworkEvents

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Jay Kerai|Feb 3, 2026

DeviceInfoDeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Nathan Hutchinson|Feb 2, 2026

IdentityLogonEventsIdentityInfo

Auto Disable High Risk AD User

Nathan Hutchinson|Feb 2, 2026

AuditLogs

Azure RBAC Elevation Via User Access Admin Toggle

Nathan Hutchinson|Feb 2, 2026

SigninLogs

Emergency Access Usage Alert

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Recent Devices Missing Full Scan

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceFileEvents

Linux File Activity Baseline

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceEventsDeviceProcessEvents+3

Linux Action Type Inventory All Tables

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceNetworkEvents

Linux Server Public Egress Baseline High Fidelity

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceEvents

Linux Script Activity Script Content

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceProcessEvents

Linux LO Lbin Downloads To Temporary Directories

Nathan Hutchinson|Feb 2, 2026

DeviceNetworkEvents

Linux Network Fanout From The Upload Process

Nathan Hutchinson|Feb 2, 2026

DeviceProcessEventsDeviceNetworkEvents

Linux Archive Command Followed By Upload Egress

Nathan Hutchinson|Feb 2, 2026

DeviceProcessEvents

Linux User Activity Leading Up To Exfiltration

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceNetworkEvents

Linux Desktop Public Egress Baseline Low Noise

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceNetworkEvents

Linux Network Events Baseline Report Id Dedupe

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceEvents

Linux Antivirus Activity

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceFileEvents

Linux Suspicious Cron Persistence

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceLogonEvents

Linux Logon Activity

Nathan Hutchinson|Feb 2, 2026

DeviceNetworkEvents

Notepad Chrysalis Backdoor Network IO Cs

Jay Kerai|Feb 2, 2026

DeviceFileEvents

Notepad Chrysalis Backdoor File Hash IO Cs

Jay Kerai|Feb 2, 2026

DeviceInfoDeviceProcessEvents

Linux Telemetry Validation Test Process

Nathan Hutchinson|Feb 2, 2026

DeviceTvmSoftwareInventory

Microsoft Office Security Feature Bypass Vulnerability CVE 2026 21509

Sergio Albea|Jan 27, 2026

IdentityInfoExposureGraphNodes

Hunt Accounts With Leaked Credentials

Robbe Van den Daele|Jan 26, 2026

EntraIdSignInEventsAuditLogs

Authenticator Device Enrollment Country Risk Baseline

Daniel Card|Jan 24, 2026

EntraIdSignInEvents

Sign In Risk Analysis

Daniel Card|Jan 24, 2026

EmailUrlInfoEmailEvents

IA Threat Intelligence Feed Evaluation Based On URL IO Cs

Sergio Albea|Jan 17, 2026

EmailAttachmentInfoEmailEvents

IA Threat Intelligence Feed Evaluation Based On File Hashes IO Cs

Sergio Albea|Jan 17, 2026

EmailUrlInfoEmailEvents

IA Threat Intelligence Feed Evaluation Based On Domains IO Cs

Sergio Albea|Jan 17, 2026

EmailEventsUrlClickEventsSigninLogs

Suspicious Sign In After Phishing Link Click

Benjamin Zulliger|Jan 15, 2026

DeviceImageLoadEventsDeviceFileCertificateInfo

Monitor DL Ls By Signer

Jay Kerai|Jan 14, 2026

IdentityInfoSecurityEvent

Certificate Issued To Privileged User

Benjamin Zulliger|Jan 13, 2026

DeviceProcessEventsDeviceNetworkEvents

Detect Unkown Process Launched Via Win RM

Robbe Van den Daele|Jan 12, 2026

AuditLogsAADUserRiskEventsCloudAppEvents

Detect PIM Elevation With User Risk

Robbe Van den Daele|Jan 12, 2026

SigninLogsAADNonInteractiveUserSignInLogsAADUserRiskEvents

Detect Device Code With User Risk

Robbe Van den Daele|Jan 12, 2026

KQL Search

Our Sponsors ❤️

MCP Server Registered To Entra

Anonymous Retrieval Of Azure Blob Versions

Unauthorized Federated Credential Added To Managed Identity

Service Principal Adds Client Secret To Target Application

Successful Azure Storage File Access From Unauthorized Geo Location

Privileged Role Assignment Outside Of PIM

Service Principal Added To Global Administrator Role

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Potential Storage Enumeration Or Brute Force Attack

Azurekid Blackcat Security Module Activity

Service Principal Sign In From New Country

Service Principal Enumeration Of App Role Assignments

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Notepad Chrysalis Backdoor Gupexe Detection

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Auto Disable High Risk AD User

Azure RBAC Elevation Via User Access Admin Toggle

Emergency Access Usage Alert

Windows Trigger Full Scan For Devices That Have Not Completed One

Windows Recent Devices Missing Full Scan

Linux File Activity Baseline

Linux Action Type Inventory All Tables

Linux Server Public Egress Baseline High Fidelity

Linux Script Activity Script Content

Linux LO Lbin Downloads To Temporary Directories

Linux Network Fanout From The Upload Process

Linux Archive Command Followed By Upload Egress

Linux User Activity Leading Up To Exfiltration

Linux Desktop Public Egress Baseline Low Noise

Linux Network Events Baseline Report Id Dedupe

Linux Antivirus Activity

Linux Suspicious Cron Persistence

Linux Logon Activity

Notepad Chrysalis Backdoor Network IO Cs

Notepad Chrysalis Backdoor File Hash IO Cs

Linux Telemetry Validation Test Process

Microsoft Office Security Feature Bypass Vulnerability CVE 2026 21509

Hunt Accounts With Leaked Credentials

Authenticator Device Enrollment Country Risk Baseline

Sign In Risk Analysis

IA Threat Intelligence Feed Evaluation Based On URL IO Cs

IA Threat Intelligence Feed Evaluation Based On File Hashes IO Cs

IA Threat Intelligence Feed Evaluation Based On Domains IO Cs

Suspicious Sign In After Phishing Link Click

Monitor DL Ls By Signer

Certificate Issued To Privileged User

Detect Unkown Process Launched Via Win RM

Detect PIM Elevation With User Risk

Detect Device Code With User Risk