Our Sponsors ❤️
DeviceProcessEvents
Notepad Chrysalis Backdoor Gupexe Spawned Binaries Excluding Known Good Notepad Hashes
DeviceNetworkEvents
Notepad Chrysalis Backdoor Gupexe Detection
DeviceProcessEventsDeviceNetworkEvents
Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation
SigninLogs
Emergency Access Usage Alert
AuditLogs
Azure RBAC Elevation Via User Access Admin Toggle
DeviceInfoDeviceTvmInfoGatheringDeviceEvents
Windows Trigger Full Scan For Devices That Have Not Completed One Windows Clients Only
IdentityLogonEventsIdentityInfo
Auto Disable High Risk AD User
DeviceTvmInfoGatheringDeviceEvents
Windows Trigger Full Scan For Devices That Have Not Completed One
DeviceTvmInfoGatheringDeviceEvents
Windows Recent Devices Missing Full Scan
DeviceInfoDeviceFileEvents
Linux Suspicious Cron Persistence
DeviceInfoDeviceNetworkEvents
Linux Server Public Egress Baseline High Fidelity
DeviceInfoDeviceProcessEvents
Linux LO Lbin Downloads To Temporary Directories
DeviceInfoDeviceEvents
Linux Script Activity Script Content
DeviceInfoDeviceFileEvents
Linux File Activity Baseline
DeviceProcessEventsDeviceNetworkEvents
Linux Archive Command Followed By Upload Egress
DeviceNetworkEvents
Linux Network Fanout From The Upload Process
DeviceInfoDeviceEvents
Linux Antivirus Activity
DeviceProcessEvents
Linux User Activity Leading Up To Exfiltration
DeviceInfoDeviceNetworkEvents
Linux Desktop Public Egress Baseline Low Noise
DeviceInfoDeviceNetworkEvents
Linux Network Events Baseline Report Id Dedupe
DeviceInfoDeviceLogonEvents
Linux Logon Activity
DeviceInfoDeviceEventsDeviceProcessEvents+3
Linux Action Type Inventory All Tables
DeviceNetworkEvents
Notepad Chrysalis Backdoor Network IO Cs
DeviceFileEvents
Notepad Chrysalis Backdoor File Hash IO Cs
DeviceInfoDeviceProcessEvents
Linux Telemetry Validation Test Process
DeviceTvmSoftwareInventory
Microsoft Office Security Feature Bypass Vulnerability CVE 2026 21509
IdentityInfoExposureGraphNodes
Hunt Accounts With Leaked Credentials
EntraIdSignInEventsAuditLogs
Authenticator Device Enrollment Country Risk Baseline
EntraIdSignInEvents
Sign In Risk Analysis
EmailUrlInfoEmailEvents
IA Threat Intelligence Feed Evaluation Based On URL IO Cs
EmailAttachmentInfoEmailEvents
IA Threat Intelligence Feed Evaluation Based On File Hashes IO Cs
EmailUrlInfoEmailEvents
IA Threat Intelligence Feed Evaluation Based On Domains IO Cs
EmailEventsUrlClickEventsSigninLogs
Suspicious Sign In After Phishing Link Click
DeviceImageLoadEventsDeviceFileCertificateInfo
Monitor DL Ls By Signer
IdentityInfoSecurityEvent
Certificate Issued To Privileged User
DeviceProcessEventsDeviceNetworkEvents
Detect Unkown Process Launched Via Win RM
AuditLogsAADUserRiskEventsCloudAppEvents
Detect PIM Elevation With User Risk
SigninLogsAADNonInteractiveUserSignInLogsAADUserRiskEvents
Detect Device Code With User Risk
DeviceNetworkEventsDeviceProcessEvents
Detect Msiexec Executing Dll Network Connections
DeviceProcessEventsDeviceFileCertificateInfo
Detect Unsigned Exec Launch From Scheduled Task
DeviceEventsDeviceFileEvents
Detect Lol Driver Drop Or Load From Unkown Process
DeviceProcessEvents
Detect Rare Scheduled Task Created
DeviceNetworkEvents
Detect Unkown Process Using Smb And Winrm
IntuneAuditLogsBehaviorEntitiesIdentityInfo+1
User With Uncommon Or Risky Behavior Is Deploying A Script With Intune To All Users Or All Devices
IntuneAuditLogsBehaviorEntitiesIdentityInfo+1
Delete An Intune Multi Approval Policy By User With Uncommon Or Risky Behavior
IntuneAuditLogsBehaviorEntitiesIdentityInfo+1
User With Uncommon Or Risky Behavior Is Deploying An Application With Intune To All Users Or All Devices
IntuneAuditLogsIdentityInfoGraphAPIAuditEvents+1
Managed Service Provider User B2B Or GDAP Without Device Compliance Or MFA Claim Is Managing Intune
IntuneAuditLogs
Mass Wipe Or Retire Device Action
SigninLogsAADNonInteractiveUserSignInLogsNetworkAccessTraffic
Consent Fix Hunting Confidence On Token And Network Signals
DeviceFileEvents