EXPLORE DETECTIONS
List external applications with highly privileged permissions
The query below lists the external applications with highly privileged permissions. It is highly recommended to periodicly review the high priviliged external applications.
List Lateral Movements Paths to Compromised Device
```KQL
List Lateral Movements Paths to Compromised Device
```KQL
List Live Response Unsigned Script Setting Changes
This query lists all changes to the Live Response Unsigned Script settings in the Advanced Features in Defender For Endpoint. You want to monitor this because allowing the use of unsigned scripts may increase your exposure to threats.
List Local Firewall Additions
List Local Firewall Additions
List Local Firewall Deletions
List Local Firewall Deletions
List MS Graph Mail Permissions Added
The Graph API can be used to read and send mail amongst other actions. Escpecially the Mail*.All permissions are very priviliged and should be scoped to a certain mailbox only (if possible). This query can both be used to assess the current added permissions as well as to detect malicious mail permission that are added to applications.
List net(1).exe discovery activities
This query lists the net.exe or net1.exe activities that have been executed by each account. The parameters that are included are:
List oubound conhost connections
List outbound conhost connections.
List Rare Net(1).exe Parameter Executions
This query lists rare net.exe or net1.exe parameters that are executed. The following parameters can be used:
List recently found devices that can be onboarded
This query lists devices that can be onboarded to Defender For Endpoint and have recently been detected. You can determine what recently is by using the *RecentDetection* parameter.
List risky IP activities
This query activities from a Risky IP
List SafeLink events
This query lists all events that have triggered a URL block by safelinks. Those actions can be from multiple workloads: Teams, Office Applications or from email events. The URL click of the user will also generate a indincident itself. This query lists all events in one single view.
List SmartScreen Events
This query lists all SmartScreen related events.
List supression rule creations
This query lists supression rule creations.
List the 20 most rare file extensions recieved from emails
This query list the 20 rarest file extentions that have been used in email attachments.
List the devices with interesting open ports
List the devices with interesting open ports
List the devices with open database ports
This query lists the devices with open database ports
List the devices with open remote service ports
This query lists the devices with open remote service ports
List the devices with the most open ports
List the devices with the most open ports.
List the external admin activities
This query lists all the external admin activities in your tenant sorted from the account with the most actions performed to the one with the least actions.
List the file extentions that have been used during a HTTP GET request
List the file extentions that have been used during a HTTP GET request
List the top 10 accounts that have the most impersonators
This query lists the top 10 accounts that have performed the most imporsonated users. The definiation for this field is: *Indicates whether the activity was performed by one user for another (impersonated) user*.
List the top 10 external applications with the most consented users
The query below lists the top 10 external applications with the most consented users. It is highly recommended to review newly added applications in which only user consent is given.