EXPLORE DETECTIONS
Hunt for the 20 most unusual connections made by Office.
Hunt for the 20 most unusual connections made by Office.
Identify accounts that have logged on to endpoints affected by Cobalt Strike
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*.
identify mail items accessed by a specific IP address (CISA)
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
Identify unused high privileged application permissions
The query below identifies unused high privileged application permissions. These permissions can be revoked from the application to adhere to the least privileged principle.
Image File Execution Options and .bat file usage in association with Wadhrama ransomware
This query was originally published in the threat analytics report, *RDP ransomware persists as Wadhrama*.
Inbound Authentication From Public IP
This query can be used to identify devices that are publicly disclosed to the internet by monitoring for inbound authentication attempts.
Inbound SSH Connection to Vulnerable XZ Machine
This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.
Incidents to Mitre ATTACK navigator
This query takes incidents from Defender, checks MITRE technique and then creates attack navigator format for upload to https://mitre-attack.github.io/attack-navigator/
Ingestion Delays
This query can be used to calculate ingestion delays of the unified security platform. In this specific case the GraphAPIAuditEvents and MicrosoftGraphActivityLogs are compared, but these tablenames can be changed to any other table. For all EDR logs you can for example use *union withsource=TableName Device* * to filter on all tables starting with Device.
Ingestion Size Security Events
The query below returns the top 10 Windows Security Events with the biggest footprint in your Sentinel environment. The query can be used to determine value for money, as more events increase the cost of your Sentinel environment. The size of each event depends on the amount of data in the columns.
IPv4 command detected in lolbin execution
This query returns all LOLbins that refer to a remote IP in the commandline. These remote IPs can be used to make connections for lateral movement or to remotely upload or download files.
JA3 Fingerprint Blacklist
```KQL
Java process executing command line to download and execute PowerShell script
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Javascript use by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Kerberos attacks
#### Risk
Kinsing miner download
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
Known exploited vulnerabilities by CISA still active on devices
The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching.
KQL Regex List
This page will be used as a quick reference guide for KQL regex queries. Those regular expressions can be used within your detection rules. For additional information see the [Regex RE2 Library from Microsoft](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/re2-library).
KQLQuery Visits
Visualize the visits to [KQLQuery.com](KQLQuery.com) in a columnchart.
KQLSearch Visits
Visualize the visits to [kqlsearch.com](kqlsearch.com) in a columnchart.
Large Number of Analytics Rules Deleted
This query can be used to detect when a large number of Sentinel Analytics Rules is deleted in a short timeframe. This could be part of the detection lifecycle, but it could also have been done with malicious intent.
Large Number of Virtual Machines started
This query detects when a Large Number of Virtual Machines is started within a short timeframe. The query uses two inputs; Threshold and TimeFrame. The threshold determines the number of machines from when the query should output results. The timeframe determines how long the period is to reach the threshold.
Last Heartbeat Arc Machines
This query lists the latest heartbeat for each Azure Arc onboarded machine.
Last Password Change Time with Account Creation Time
| where Department contains @"Cyber" or JobTitle contains "architect" //Example of further filtering