EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

List Defender Discovery Activities

This query lists the execution of Get-MpPreference, this function lists the preferences for the Windows Defender scans and updates, including the configured exclusions. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries can abuse exclusions to execute malicious code.

T1518.001T1518
KQL

List Device Isolations

This query lists all the device isolation activities that have been performed by Defender For Endpoint. It is good practice to review those once every x period. The query extracts multiple events from the isolation action, ssuch as which device is isolated, what isolation comment has been used and the type of isolation that has been executed.

KQL

List external applications with highly privileged permissions

The query below lists the external applications with highly privileged permissions. It is highly recommended to periodicly review the high priviliged external applications.

KQL

List Lateral Movements Paths to Compromised Device

```KQL

KQL

List Lateral Movements Paths to Compromised Device

```KQL

KQL

List Live Response Unsigned Script Setting Changes

This query lists all changes to the Live Response Unsigned Script settings in the Advanced Features in Defender For Endpoint. You want to monitor this because allowing the use of unsigned scripts may increase your exposure to threats.

KQL

List Local Firewall Additions

List Local Firewall Additions

KQL

List Local Firewall Deletions

List Local Firewall Deletions

KQL

List MS Graph Mail Permissions Added

The Graph API can be used to read and send mail amongst other actions. Escpecially the Mail*.All permissions are very priviliged and should be scoped to a certain mailbox only (if possible). This query can both be used to assess the current added permissions as well as to detect malicious mail permission that are added to applications.

T1098.002T1098
KQL

List net(1).exe discovery activities

This query lists the net.exe or net1.exe activities that have been executed by each account. The parameters that are included are:

T1069T1087T1201
KQL

List oubound conhost connections

List outbound conhost connections.

KQL

List Rare Net(1).exe Parameter Executions

This query lists rare net.exe or net1.exe parameters that are executed. The following parameters can be used:

KQL

List recently found devices that can be onboarded

This query lists devices that can be onboarded to Defender For Endpoint and have recently been detected. You can determine what recently is by using the *RecentDetection* parameter.

KQL

List risky IP activities

This query activities from a Risky IP

KQL

List SafeLink events

This query lists all events that have triggered a URL block by safelinks. Those actions can be from multiple workloads: Teams, Office Applications or from email events. The URL click of the user will also generate a indincident itself. This query lists all events in one single view.

KQL

List SmartScreen Events

This query lists all SmartScreen related events.

KQL

List supression rule creations

This query lists supression rule creations.

KQL

List the 20 most rare file extensions recieved from emails

This query list the 20 rarest file extentions that have been used in email attachments.

KQL

List the devices with interesting open ports

List the devices with interesting open ports

KQL

List the devices with open database ports

This query lists the devices with open database ports

KQL

List the devices with open remote service ports

This query lists the devices with open remote service ports

KQL

List the devices with the most open ports

List the devices with the most open ports.

KQL

List the external admin activities

This query lists all the external admin activities in your tenant sorted from the account with the most actions performed to the one with the least actions.

KQL

List the file extentions that have been used during a HTTP GET request

List the file extentions that have been used during a HTTP GET request

KQL
PreviousPage 14 of 25Next