EXPLORE DETECTIONS
Last Password Change User
This query lists the last PasswordChangeTime based on Active Directory logs. In case you asked a user to perform a password reset, you can confirm using this query if it was actually performed.
Latest Antivirus Scan Status
This query lists the latest completed antivirus scan for each device. The query filters all devices that have performed a successful scan today.
Launching questd ransomware using osascript
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
LDAPNightmare Exploitation Attempt
The query below detects the inital connection made to try and run the LDAPNightmare exploit. The intial connection connects to the victim server, which sends a DNS SRV query. If the query below triggers it does not necessarily mean that the exploit worked, if the system is patched or the RPC access is denied the exploit cannot be executed but the query will return results. By this you can also hunt for attempts, if the victim is still vulnerable for the vulnerability it is likely exploited.
List *.All MS Graph Permissions Added
This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications.
List *.All MS Graph Permissions Added by application.
This rule detects the usage of *.All Microsoft Graph permissions that are added. *.All permissions should be scoped if possible, this ensures that the least privilege principle can still be applied. You should monitor for overpermissive applications and rare permissions that are added to applications. This query summarize the results for each ServicePrincipalAppId, especially applications that have been granted multiple *.All permissions should be investigated.
List Activities Compromised Device Can Perform as Source
```KQL
List Activities Compromised Device Can Perform as Source
```KQL
List AD Delegations
This query is aimed to Monitor different types of delegation in the environment.
List Alert Supression Actions
This query lists all the supressions that have been added to Defender XDR. This gives you an overview of what rules are added, by who and why they have been added.
List all AuditLog activities of a user
```KQL
List all AuditLog activities of a user
```KQL
List all Cloud Permissions of a Compromised User
```KQL
List all Cloud Permissions of a Compromised User
```KQL
List all Global Admins in your tenant
This query lists all accounts that have the Global Admin role assigned to their account. If you have enabled PIM, then only users that have pimmed to Global Admin in the search period will be shown.
List all GraphAPI requests of a suspicious user
```KQL
List all GraphAPI requests of a suspicious user
```KQL
List All Role Additions
This query list all role additions that have been performed in your tenant. See the Microsoft Link for the default roles that exsits in Azure Active Directory. They contain reader, operator, administrator and other roles. It is good practice to gain insight into the roles that have been assigned to accounts. Based on this query you can build a detection for specific roles with high priviliges such as Global Admin, Security Admin or Exchange Admin.
List Antivirus Scan Activities
This query lists all manual (and playbook related) anvitius actions that are initiated and the related comments per device.
List applications with Mail.* API permissions
The query below lists the applications that have Mail.* Graph API permissions. These permissions are highly sensitive as it can give access to individual or shared mailboxes.
List Automatically Closed Incidents
List the incidents that are automatically closed by Microsoft Defender XDR. It is good practice to get an overview of the automatically closed incidents and review them once every x period to determine if all the risks have been covered. The amount of automatically closed incidents depend on the Automation levels in automated investigation and remediation capabilities that are set in your tenant.
List Connected USB Devices
This query lists the statistics of all the connected USB devices and their description. This overview gives you an indication of what USB devices are connected to workstations/servers in your network. This can be used to create specific detections on USB connections.
List Defender Discovery Activities
This query lists the execution of Get-MpPreference, this function lists the preferences for the Windows Defender scans and updates, including the configured exclusions. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries can abuse exclusions to execute malicious code.
List Device Isolations
This query lists all the device isolation activities that have been performed by Defender For Endpoint. It is good practice to review those once every x period. The query extracts multiple events from the isolation action, ssuch as which device is isolated, what isolation comment has been used and the type of isolation that has been executed.