Search and discover KQL queries for Microsoft Sentinel, Defender, and Azure Monitor
Our Sponsors ❤️
AADUserRiskEventsEntraIdSignInEventsIdentityInfo
User Risk Event Correlation With Historical Baseline And Account Age
SecurityEvent
Security Event Unexpected NTLM Network Authentication
CloudAppEvents
Microsoft Dynamics 365 Privilege Escalation Via Role Or Team Modification
IdentityInfo
MDI Service Accounts Without Service Principals And MS As
DeviceFileEvents
Executable Files Program Data Folder
DeviceFileEvents
Executable Files Public Folder
DeviceProcessEventsDeviceRegistryEvents
Unofficial Win Get Source Added
IdentityQueryEvents
Unusual LDAP Query Burst From New Or Known Device
IdentityQueryEvents
LDAP Cross Domain Enumeration
DeviceInfoDeviceNetworkEventsThreatIntelligenceIndicator
MDE Internet Facing
AgentsInfo
MDE Local AI Agents
IdentityQueryEventsIdentityLogonEvents
Correlating LDAP Reconnaissance With Kerberoasting And Sensitive Queries
DeviceFileEventsDeviceProcessEvents
Suspicious Oahd Activity On Mac OS
DeviceProcessEvents
Mac OS Keychain Dump Via Security CLI
DeviceProcessEvents
Suspicious Tool Accessing Browser Cookies On Mac OS
DeviceTvmSecureConfigurationAssessment
Device Tvm Secure Configuration Assessment Enrichment With SCID Details
AuditLogs
30 PIM Self Activation Tier0role
AuditLogs
29 Service Principal Self Privilege Escalation
ExposureGraphNodes
Windows Workstations With RDP Enabled And Allowed Connections
ExposureGraphNodes
High Risk Vulnerabilities With Exploits Detected On Onboarded Devices
AuditLogs
Removal Of Roles Post GDAP Relationship Ending
ADOAuditLogs_CL
Azure Dev Ops High Volume Search Activity
ADOAuditLogs_CL
Azure Dev Ops Token Administration Activity From Non Corporate IP
IdentityLogonEvents
Masking Account Names And UP Ns For Demos
DeviceNetworkEventsDeviceImageLoadEvents
Multiple Uncommon Loaded Image Connection To Suspicious Domain
DeviceNetworkEvents
Outbound Connection To Spydisec High Confidence Malicious IP
SecurityAlertSecurityIncidentSentinelHealth+1
Sentinel Rule Tuning Queries
DeviceInfoDeviceTvmSoftwareInventory
Identify Windows Devices Missing Defender For Endpoint WSL Plugin
AADServicePrincipalSignInLogs
21 Service Principal Anomalous IP Spread
AADNonInteractiveUserSignInLogsOfficeActivity
14 NI Auth Bulk Data Download
AADNonInteractiveUserSignInLogsAuditLogs
10 Stale Token After Password Change
DeviceNetworkEvents
Device Network Events Uncommon Process Connection To Suspicious Domain
DeviceFileEvents
Detect Shebang Code Inside Files With Unusual Extensions
DeviceFileEvents
Detect Shebang Code Inside Device Files
DeviceFileEventsEmailAttachmentInfo
Detect Shebang File Types Received Via Email
DeviceProcessEventsDeviceRegistryEventsDeviceFileEvents
Rogue Planet Defender TOCTOU LPE Detection
DeviceEvents
ISO Virtual DVD ROM File Mount
DeviceFileEvents
Suspicious RDP Bitmap Cache Access
DeviceEvents
Potential Azure VM Admin Password Reset Using VM Access Extension
DeviceInfoDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB
Discovered Network Devices CVE CVSS
AIAgentsInfo
AI Agent Third Party Plugin With Internal Data Access
AIAgentsInfo
AI Agent With Weak Authentication Or Access Control
DeviceEvents
RPC Attack Detection
DeviceFileEventsDeviceNetworkEvents
Hunting Uncommon VS Code Extensions
DeviceProcessEvents
HEX And XOR Obfuscated Powershell Click Fix Attack
EmailPostDeliveryEventsEmailEventsEmailAttachmentInfo+3
Multiple Zapped Emails With Possibly Malicious Entities Unchecked
AppEvents
Agent Channel Distribution
AppEvents
Agent Topic Trigger Enumeration
AppEvents
Agent Indirect Injection In Response
AppEvents