KQL Search

DeviceProcessEvents

Click Fix Lo L Bin Abuse

Benjamin Zulliger|Feb 23, 2026

DeviceProcessEvents

Click Fix Nslookup DNS Staging

Benjamin Zulliger|Feb 23, 2026

DeviceRegistryEvents

Run MRU Click Fix Detection

Benjamin Zulliger|Feb 23, 2026

SecurityIncidentSecurityAlert

Alert Efficiency

Bert-Jan Pals|Feb 22, 2026

EntraIdSignInEvents

Entra Id Sign In Events Suspicious User Agent

Jay Kerai|Feb 17, 2026

EntraIdSignInEvents

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Jay Kerai|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Windows Firewall Outbound Blocked Connections

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

AuditLogs

Security Copilot Agent Deleted

Jay Kerai|Feb 17, 2026

DeviceNetworkEvents

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Nathan Hutchinson|Feb 15, 2026

EmailEventsEmailUrlInfo

Applying Shanon Entropy To Sender Domains Via Kusto

Sergio Albea|Feb 12, 2026

DeviceEvents

Windows Inbound Firewall Blocks By Process

Nathan Hutchinson|Feb 12, 2026

DeviceEvents

Windows All Firewall Inbound Block Events Last 100

Nathan Hutchinson|Feb 12, 2026

IdentityLogonEvents

Windows Detect NTLM Usage In The Environment

Nathan Hutchinson|Feb 12, 2026

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEvents+2

CVE 2026 21510 Windows Shell Security Feature Bypass

Benjamin Zulliger|Feb 11, 2026

EntraUsers

Detection Enrichment Entra User

Bert-Jan Pals|Feb 11, 2026

EntraGroupMembershipsEntraGroups

Detection Enrichment Entra Group Membership

Bert-Jan Pals|Feb 10, 2026

DeviceNetworkEvents

Device IP History

C.J. May|Feb 10, 2026

MessageEventsIdentityInfoMessageUrlInfo

Detect External User Sending Suspicious Link To Multiple Users

Robbe Van den Daele|Feb 10, 2026

MessageEventsIdentityInfo

Detect Possible Teams Bec Attack By High Teams Recipients

Robbe Van den Daele|Feb 10, 2026

MessageEventsMessageUrlInfo

Detect Malicious Teams Message

Robbe Van den Daele|Feb 10, 2026

DeviceRegistryEvents

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Benjamin Zulliger|Feb 9, 2026

DeviceFileEvents

Malicious Browser Extension Downloads Using Device File Events

Jay Kerai|Feb 8, 2026

SigninLogsAADNonInteractiveUserSignInLogs

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

Jay Kerai|Feb 5, 2026

AuditLogs

MCP Server Registered To Entra

Jay Kerai|Feb 5, 2026

AADServicePrincipalSignInLogs

Service Principal Sign In From New Country

Fabian Bader|Feb 5, 2026

AuditLogs

Privileged Role Assignment Outside Of PIM

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Anonymous Retrieval Of Azure Blob Versions

Fabian Bader|Feb 5, 2026

StorageFileLogs

Successful Azure Storage File Access From Unauthorized Geo Location

Fabian Bader|Feb 5, 2026

AuditLogs

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Fabian Bader|Feb 5, 2026

AzureActivityAuditLogs

Unauthorized Federated Credential Added To Managed Identity

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Added To Global Administrator Role

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Adds Client Secret To Target Application

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Potential Storage Enumeration Or Brute Force Attack

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Service Principal Enumeration Of App Role Assignments

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Azurekid Blackcat Security Module Activity

Fabian Bader|Feb 5, 2026

DeviceProcessEvents

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Jay Kerai|Feb 3, 2026

DeviceNetworkEvents

Notepad Chrysalis Backdoor Gupexe Detection

Jay Kerai|Feb 3, 2026

DeviceProcessEventsDeviceNetworkEvents

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Jay Kerai|Feb 3, 2026

AuditLogs

Azure RBAC Elevation Via User Access Admin Toggle

Nathan Hutchinson|Feb 2, 2026

IdentityLogonEventsIdentityInfo

Auto Disable High Risk AD User

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One

Nathan Hutchinson|Feb 2, 2026

SigninLogs

Emergency Access Usage Alert

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Recent Devices Missing Full Scan

Nathan Hutchinson|Feb 2, 2026

DeviceNetworkEvents

Linux Network Fanout From The Upload Process

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceEventsDeviceProcessEvents+3

Linux Action Type Inventory All Tables

Nathan Hutchinson|Feb 2, 2026

DeviceProcessEventsDeviceNetworkEvents

Linux Archive Command Followed By Upload Egress

Nathan Hutchinson|Feb 2, 2026

KQL Search

Our Sponsors ❤️

Click Fix Lo L Bin Abuse

Click Fix Nslookup DNS Staging

Run MRU Click Fix Detection

Alert Efficiency

Entra Id Sign In Events Suspicious User Agent

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Windows Windows Firewall Outbound Blocked Connections

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Security Copilot Agent Deleted

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Applying Shanon Entropy To Sender Domains Via Kusto

Windows Inbound Firewall Blocks By Process

Windows All Firewall Inbound Block Events Last 100

Windows Detect NTLM Usage In The Environment

CVE 2026 21510 Windows Shell Security Feature Bypass

Detection Enrichment Entra User

Detection Enrichment Entra Group Membership

Device IP History

Detect External User Sending Suspicious Link To Multiple Users

Detect Possible Teams Bec Attack By High Teams Recipients

Detect Malicious Teams Message

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Malicious Browser Extension Downloads Using Device File Events

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

MCP Server Registered To Entra

Service Principal Sign In From New Country

Privileged Role Assignment Outside Of PIM

Anonymous Retrieval Of Azure Blob Versions

Successful Azure Storage File Access From Unauthorized Geo Location

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Unauthorized Federated Credential Added To Managed Identity

Service Principal Added To Global Administrator Role

Service Principal Adds Client Secret To Target Application

Potential Storage Enumeration Or Brute Force Attack

Service Principal Enumeration Of App Role Assignments

Azurekid Blackcat Security Module Activity

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Notepad Chrysalis Backdoor Gupexe Detection

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Azure RBAC Elevation Via User Access Admin Toggle

Auto Disable High Risk AD User

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Windows Trigger Full Scan For Devices That Have Not Completed One

Emergency Access Usage Alert

Windows Recent Devices Missing Full Scan

Linux Network Fanout From The Upload Process

Linux Action Type Inventory All Tables

Linux Archive Command Followed By Upload Egress