KQL Search

SecurityIncidentSecurityAlert

Alert Efficiency

Bert-Jan Pals|Feb 22, 2026

EntraIdSignInEvents

Entra Id Sign In Events Suspicious User Agent

Jay Kerai|Feb 17, 2026

EntraIdSignInEvents

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Jay Kerai|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Nathan Hutchinson|Feb 17, 2026

DeviceEventsDeviceNetworkInfo

Windows Windows Firewall Outbound Blocked Connections

Nathan Hutchinson|Feb 17, 2026

AuditLogs

Security Copilot Agent Deleted

Jay Kerai|Feb 17, 2026

DeviceNetworkEvents

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Nathan Hutchinson|Feb 15, 2026

EmailEventsEmailUrlInfo

Applying Shanon Entropy To Sender Domains Via Kusto

Sergio Albea|Feb 12, 2026

DeviceEvents

Windows All Firewall Inbound Block Events Last 100

Nathan Hutchinson|Feb 12, 2026

IdentityLogonEvents

Windows Detect NTLM Usage In The Environment

Nathan Hutchinson|Feb 12, 2026

DeviceEvents

Windows Inbound Firewall Blocks By Process

Nathan Hutchinson|Feb 12, 2026

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEvents+2

CVE 2026 21510 Windows Shell Security Feature Bypass

Benjamin Zulliger|Feb 11, 2026

EntraUsers

Detection Enrichment Entra User

Bert-Jan Pals|Feb 11, 2026

EntraGroupMembershipsEntraGroups

Detection Enrichment Entra Group Membership

Bert-Jan Pals|Feb 10, 2026

DeviceNetworkEvents

Device IP History

C.J. May|Feb 10, 2026

MessageEventsMessageUrlInfo

Detect Malicious Teams Message

Robbe Van den Daele|Feb 10, 2026

MessageEventsIdentityInfo

Detect Possible Teams Bec Attack By High Teams Recipients

Robbe Van den Daele|Feb 10, 2026

MessageEventsIdentityInfoMessageUrlInfo

Detect External User Sending Suspicious Link To Multiple Users

Robbe Van den Daele|Feb 10, 2026

DeviceRegistryEvents

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Benjamin Zulliger|Feb 9, 2026

DeviceFileEvents

Malicious Browser Extension Downloads Using Device File Events

Jay Kerai|Feb 8, 2026

SigninLogsAADNonInteractiveUserSignInLogs

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

Jay Kerai|Feb 5, 2026

AuditLogs

MCP Server Registered To Entra

Jay Kerai|Feb 5, 2026

AuditLogs

Privileged Role Assignment Outside Of PIM

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Azurekid Blackcat Security Module Activity

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Potential Storage Enumeration Or Brute Force Attack

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Added To Global Administrator Role

Fabian Bader|Feb 5, 2026

AzureActivityAuditLogs

Unauthorized Federated Credential Added To Managed Identity

Fabian Bader|Feb 5, 2026

AADServicePrincipalSignInLogs

Service Principal Sign In From New Country

Fabian Bader|Feb 5, 2026

StorageBlobLogs

Anonymous Retrieval Of Azure Blob Versions

Fabian Bader|Feb 5, 2026

AuditLogs

Service Principal Adds Client Secret To Target Application

Fabian Bader|Feb 5, 2026

StorageFileLogs

Successful Azure Storage File Access From Unauthorized Geo Location

Fabian Bader|Feb 5, 2026

MicrosoftGraphActivityLogs

Service Principal Enumeration Of App Role Assignments

Fabian Bader|Feb 5, 2026

AuditLogs

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Fabian Bader|Feb 5, 2026

DeviceProcessEvents

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Jay Kerai|Feb 3, 2026

DeviceNetworkEvents

Notepad Chrysalis Backdoor Gupexe Detection

Jay Kerai|Feb 3, 2026

DeviceProcessEventsDeviceNetworkEvents

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Jay Kerai|Feb 3, 2026

DeviceInfoDeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Nathan Hutchinson|Feb 2, 2026

SigninLogs

Emergency Access Usage Alert

Nathan Hutchinson|Feb 2, 2026

IdentityLogonEventsIdentityInfo

Auto Disable High Risk AD User

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Trigger Full Scan For Devices That Have Not Completed One

Nathan Hutchinson|Feb 2, 2026

AuditLogs

Azure RBAC Elevation Via User Access Admin Toggle

Nathan Hutchinson|Feb 2, 2026

DeviceTvmInfoGatheringDeviceEvents

Windows Recent Devices Missing Full Scan

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceNetworkEvents

Linux Desktop Public Egress Baseline Low Noise

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceFileEvents

Linux File Activity Baseline

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceLogonEvents

Linux Logon Activity

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceEventsDeviceProcessEvents+3

Linux Action Type Inventory All Tables

Nathan Hutchinson|Feb 2, 2026

DeviceInfoDeviceNetworkEvents

Linux Network Events Baseline Report Id Dedupe

Nathan Hutchinson|Feb 2, 2026

DeviceProcessEventsDeviceNetworkEvents

Linux Archive Command Followed By Upload Egress

Nathan Hutchinson|Feb 2, 2026

KQL Search

Our Sponsors ❤️

Alert Efficiency

Entra Id Sign In Events Suspicious User Agent

Entra Id Sign In Events Hunting Potential Seamless SSO Usage

Windows Summarise Firewall Outbound Blocks By Firewall Profile

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Windows Windows Firewall Outbound Blocked Connections

Security Copilot Agent Deleted

Windows Find Net BIOS Name Service NBNS Usage UDP 137

Applying Shanon Entropy To Sender Domains Via Kusto

Windows All Firewall Inbound Block Events Last 100

Windows Detect NTLM Usage In The Environment

Windows Inbound Firewall Blocks By Process

CVE 2026 21510 Windows Shell Security Feature Bypass

Detection Enrichment Entra User

Detection Enrichment Entra Group Membership

Device IP History

Detect Malicious Teams Message

Detect Possible Teams Bec Attack By High Teams Recipients

Detect External User Sending Suspicious Link To Multiple Users

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Malicious Browser Extension Downloads Using Device File Events

Detect Potential Consent Fix O Auth Authorisation Code Theft Attempts

MCP Server Registered To Entra

Privileged Role Assignment Outside Of PIM

Azurekid Blackcat Security Module Activity

Potential Storage Enumeration Or Brute Force Attack

Service Principal Added To Global Administrator Role

Unauthorized Federated Credential Added To Managed Identity

Service Principal Sign In From New Country

Anonymous Retrieval Of Azure Blob Versions

Service Principal Adds Client Secret To Target Application

Successful Azure Storage File Access From Unauthorized Geo Location

Service Principal Enumeration Of App Role Assignments

Granting Of High Risk Privilege Escalation Permissions To Service Principal

Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes

Notepad Chrysalis Backdoor Gupexe Detection

Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation

Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only

Emergency Access Usage Alert

Auto Disable High Risk AD User

Windows Trigger Full Scan For Devices That Have Not Completed One

Azure RBAC Elevation Via User Access Admin Toggle

Windows Recent Devices Missing Full Scan

Linux Desktop Public Egress Baseline Low Noise

Linux File Activity Baseline

Linux Logon Activity

Linux Action Type Inventory All Tables

Linux Network Events Baseline Report Id Dedupe

Linux Archive Command Followed By Upload Egress