EXPLORE DETECTIONS

MalwareBazaar Certificate Blocklist Detection

This query searches for code signing certificates from MalwareBazaar's blocklist

MCP Server Registered to Entra

| where parse_json(TargetResources)["0.displayName"] == 'Microsoft MCP Server for Enterprise' //Example https://learn.microsoft.com/en-us/graph/mcp-server/get-started?tabs=http%2Cvscode

MDA - File Download by Country

download or download from browser

MDA - IP Address Type

MDA - OAuth App Disabled

My Guess is this is Microsoft Application Goverance

MDA Blocks by Application and URL

MDA Custom Warn Indicators Report

This query reports on MDE Indicators in Warn mode and CASB/MDA warnings

MDE DeviceRegistryEvents Tampering To DeviceTag

Modifications to this registry key could move a device into a different MDE Device Group

MDI Sensor Deleted

This query returns results when a Defender For Identity Sensor has been deleted. This sensor would have been installed on your Domain Controller, ADCS, ADFS or Entra Connect server.

Microsoft Phishing Subdomain Detection

This query detects phishing domains using Microsoft in subdomain

Microsoft Teams Emoji Reactions

This query lists the statistics of the Emoji reactions that have been send via Microsoft Teams

Microsoft Teams Emoji Reactions for each Department

This query lists the statistics of the Emoji reactions that have been send via Microsoft Teams for each Department.

MicrosoftGraphActivityLogs App Enrichment AADNonInteractiveUserSignInLogs Based

This query enriches the *MicrosoftGraphActivityLogs* with Application information from the *AADNonInteractiveUserSignInLogs* table to get more context in the results.

MicrosoftGraphActivityLogs App Enrichment ExternalData Based

This query enriches the *MicrosoftGraphActivityLogs* with Application information Using the Azure_Application_ID list developed by [@Beercow](https://github.com/Beercow) 1000+ AppIds can be enriched with the [externaldata operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) resulting in the query below.

MicrosoftGraphActivityLogs IP Enrichment

The IP information can be enriched using the [geo_info_from_ip_address()](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/geo-info-from-ip-address-function) function, which returns the country, state, city, latitude and longitude of each IPv4 and IPv6 address.

MicrosoftGraphActivityLogs User Enrichment

This query enriches the *MicrosoftGraphActivityLogs* with userinformation from the *IdentityInfo* table to get more context in the results.

Modifications To ApplicationManagementPolicy for Entra App Registrations

This query looks for modifications to ApplicationManagementPolicy which could be someone attempting to bypass an app management policy that blocks client secrets being used for an app registration

Modifications to SafeLinks AllowClickThrough Policy

Monitor DLLs by Signer

change to 30d if using advanced hunting with no sentinel

Monitor ransomwarelive for companies of interest on ransowmare data leak sites (DLS)

This allows you to monitor the ransomware.live dataset for possible companies of interest being breached and posted by ransomware groups on data leak sites (DLS).

Most Permissive Entities

This query lists the top 100 entities that have the most permissions to perform a certain action on a resource. The query extracts the type of permissions, such as reader, contributor, owner and other (custom) roles. It is good practice to review the users with the most permissions, or put additional monitoring on their accounts. Because they are highly priviliged threat actors can perform a lot of actions once the account has been taken over.

Most Recent Sign-in time for users in the last 30 days

Note this will not work if the user has no sign-in at ALL in the last 30 days. For reporting on last sign-ins for all users regardless of timewindow I would check out https://o365reports.com/2023/06/21/microsoft-365-inactive-user-report-ms-graph-powershell/

Most Triggered Incidents

The results of this query provide insight in the top 10 incidents that have triggered in your selected *timeframe*, this can give indications on which incidents should be addressed to limit potential false positives.

Most Triggered Mitre Techniques

The results of this query provide insight in the top 10 MITRE ATT&CK Techniques that have been triggered in the past 10 days. This can indicate that adversaries use specific techniques to gain access to your environment. On the otherhand if this information is combined with FP/BP statistics it can give insight into the detections that need to be improved.