EXPLORE DETECTIONS

Get an inventory of SolarWinds Orion software possibly affected by Nobelium

This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.

Get Tenant ID for Given Domain

This query will return the tenant ID for a domain. This has little use-case today but if externaldata allowed variables then this could be quite useful as a function

Global Admin Elevations To User Access Administrator at Root Level

Graph API runHuntingQuery

This query lists successful runHuntingQuery Graph API calls from applications.

GraphAPI Resource Request Statistics

he requests that are executed by the Graph API are standardized, thus we can use the RequestUri to get statistics on which Resource is requested. The *{resource}* parameter is used for the resource in Microsoft Graph that you're referencing.

GraphAPI Resource Request Statistics

he requests that are executed by the Graph API are standardized, thus we can use the RequestUri to get statistics on which Resource is requested. The *{resource}* parameter is used for the resource in Microsoft Graph that you're referencing.

GraphAPI URI Request Statistics

Retrieving request statistics gives us the opportunity for new use cases. One can now summarize all the GraphAPI request types easily with the following query. The unique deltatokens have been removed from the data, returning a better overview of the executed requests.

GraphAPI URI Request Statistics

Retrieving request statistics gives us the opportunity for new use cases. One can now summarize all the GraphAPI request types easily with the following query. The unique deltatokens have been removed from the data, returning a better overview of the executed requests.

GraphAPIAuditEvents App Enrichment AADNonInteractiveUserSignInLogs Based

This query enriches the *GraphAPIAuditEvents* with Application information from the *AADNonInteractiveUserSignInLogs* table to get more context in the results.

GraphAPIAuditEvents App Enrichment ExternalData Based

This query enriches the *GraphAPIAuditEvents* with Application information Using the Azure_Application_ID list developed by [@Beercow](https://github.com/Beercow) 1000+ AppIds can be enriched with the [externaldata operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) resulting in the query below.

GraphAPIAuditEvents IP Enrichment

The IP information can be enriched using the [geo_info_from_ip_address()](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function) function, which returns the country, state, city, latitude and longitude of each IPv4 and IPv6 address.

GraphAPIAuditEvents User Enrichment

This query enriches the *MicrosoftGraphActivityLogs* with userinformation from the *IdentityInfo* table to get more context in the results.

Group Membership Report

This query can be used to draw an report of the Entra ID group memberships of all users.

Guest user with AD roles

This query can be used to display all Guest users in the tenant who have Azure Active Directory roles. Guest users by default have different rights than normal users, at the time these Guest users get additional roles those permissions change. Therefore, the least privilege principle should be applied to Guest (and all other) users, so that these Guest users cannot access sensitive information.

Hanada Group Crowdstrike Impersonation Detection

This query detects activity from Hanada group malware impersonating Crowdstrike updates

Hiding a Java class file

This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*.

HTTP Request Methods Statistics

HTTP Request Methods Statistics

Hunt for activities where Hard Delete user was performed

This query lists activities where a hard user delete has been performed.

Hunt for anomalies in Sentinel

The anomalies table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel. Those anomalies do not trigger a incident by default (at the moment of writing). This query lists the anomalies and the reaons why they are anomalies.

Hunt for devices with the most SMB connections

This hunting query lists all the devices and the unique connections they have made with a remote SMB port. Devices with a large number of connected SMB sessions can be interesting to investigate.

Hunt for files that have been used by APTs since 2015

This query uses a external csv that contains APT Ransomware note hashes. This list is used to search your environment for hash based matches on those ransomware notes.

Hunt for Local Admins with the most RemoteInteractive logins

Hunt for Local Admins with the most RemoteInteractive logins

Hunt for malicious files that have been identified by CERT-FR

```KQL

Hunt for newly identified lateral movement paths to sensitive accounts

Defender For Identity identifies lateral movement paths to all sensitive accounts (if possible). This is similar to a Bloodhound output. A newly identified path can mean that a sensitive account can be taken over if the path is followed.