Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
Our Sponsors ❤️
EmailEventsEmailUrlInfo
Detect Potential Malicious Emails Based On Internet Message Id Dates
EmailEvents
Detect Microsoft One Time Pass Code Emails Via Internet Message Id Odspnotify Value
EmailEventsEmailUrlInfo
Detect Microsoft Shared File Messages Via Internet Message Id Odspnotify Value
AuditLogs
Audit Logs Unexpected Device OS Type Modification
IdentityDirectoryEvents
MDI AD Group Policy Password Policy
Watchlist
Sentinel Watchlists
PowerPlatformAdminActivityCloudAppEvents
Power Platform Customer Lockbox
CloudAppEventsIdentityInfo
Copilot Agents Sharing
CloudAppEvents
Copilot Agents Allowed Agent Types
OfficeActivityCloudAppEvents
Copilot Agent Approval
CopilotActivity
Copilot Jailbreak Detected
CloudAppEventsIdentityInfo
Copilot Agents User Access
SigninLogsAADNonInteractiveUserSignInLogs
Multiple Unusual User Agent From Registered Device Avoiding Conditional Access
DeviceEventsDeviceProcessEvents
Defender Red Sun Detection Named Pipe Detection Correlated To Anti Virus Detection
SigninLogs
List Of MFA Methods Used With UPN Details
IdentityInfoExposureGraphNodes
MDXDR Critical Assets
DeviceEvents
Defender Red Sun Detection Named Pipe Detection
DeviceFileEvents
Defender Red Sun Detection Tiering Engine Service Created In App Data
SigninLogsAADNonInteractiveUserSignInLogsADFSSignInLogs
Multiple Suspicious Device Code Authentication
SigninLogs
Users Authenticating With The MFA Companion App
SigninLogs
Overview Of All MFA Methods In Use
DeviceNetworkEventsDeviceFileEvents
Suspicious 0 Day Adobe Reader Process Activity
DeviceProcessEvents
Detect TLS Validation Bypass Via Power Shell
DeviceProcessEventsDeviceFileEvents
Audit Claude Behavior
DeviceProcessEvents
Git Abuse High Fidelity
DeviceProcessEvents
Execution Git Commit Amend No Verify
DeviceProcessEvents
Execution Batch Git Abuse
DeviceProcessEvents
Defense Evasion Time Change Git
DeviceProcessEvents
Defense Evasion Git Config Masquerade
DeviceProcessEvents
Correlation Git And VS Code Task Abuse
DeviceProcessEvents
Git Force Push
DeviceLogonEventsDeviceNetworkEvents
Privileged RDP Session Source Mismatch
DeviceRegistryEvents
IFEO Unauthorized Debugger Registration
DeviceProcessEvents
Mac OS Suspicious Shell Or Direct Process Execution From Browser
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB
Device TVM Secure Configuration Assessment Summary
DeviceNetworkEvents
Node C2polinder
DeviceFileEvents
Vs Code Persistence
DeviceProcessEvents
Polin Rider Node
AzureActivity
Azure Azure Activity Compromised Account
EntraIdSignInEventsSigninLogs
Successful Signin From Suspicious User Agent
DeviceProcessEvents
Local Administrator Account Added By Scheduled Task
DeviceEvents
Defender IOC Warning Bypass Or Monitor Mode MDA Bypass
DeviceInfo
List Devices Array
SecurityEvent
Security Event Unusual User Account Authentication
EmailAttachmentInfoEmailEvents
IC Catching Emojis Into Email Attachment Files Names
DeviceFileEvents
IC Catching Emojis Into File Names
EmailEventsUrlClickEvents
IC Catching Emojis On Email Subjects
FileMaliciousContentInfo
MDO File Malicious Content Info
SentinelHealth
Sentinel Health Scheduled Analytics Rule Runs Anomaly
DeviceProcessEvents