EXPLORE DETECTIONS
Anonymous Email Sending Domains MDE Traffic
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/AnonymousEmailSendingDomains.csv"] with (format="csv", ignoreFirstRecord=True);
Anti-lock or Idle Software
This query looks for files or processes known to keep PC awake and bypass screen lock timeout
AntiSleep Domains - MDE DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/AntiSleep.csv"] with (format="csv", ignoreFirstRecord=True);
Antivirus Detections by day
This query visualizes the daily antivirus detections, which can give an indication in anomalous amount of activities that are performed in your environment.
Antivirus Domains - MDE DeviceNetworkEvents
Additional AV Providers can turn off Defender. Ensure that Defender is running in "EDR in block mode". For brevity, softwarepackers have been scoped instead of each individual AV URL. These should be safe to unsanction as users/admins should be grabbing applications from official sources
AppArmor service stopped
This query was originally published in the threat analytics report, *Sysrv botnet evolution*.
APT28 Commands
This KQL query can be used to hunt for APT 28 commands in your environment. The *threshold* can be used to adjust the amount of unique executed APT28 commands to be found within the defined *BinSize*, the *BinSize* is the timeframe in which the *threshold* needs to be reached. All the calculations are done for each device. The more APT28 commands are found on a device, the more likely it is that the device has been compromised.
APT28 WebDav Folder File Collection
Hunt for external connections initiated by PowerShell to collect files from the webdav folder. This is used to download malicious files.
APTNotes table that can be used to join with other data connectors
APTNotes table that can be used to join with other data connectors
ASR Ransomware
Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered. MDE uses cliend and cloud heuristics to determine of a file resembles ransomware. This file could for example be the script that is used to encrypt files. No alert is generated by default by Defender For Endpoint. This could be the start of a ransomware attack. Additional information available by Microsoft.
Assignment of Local Administrator Entra Role
Assignment of Local Administrator Entra Role /Device administrator Role
AsyncRAT Initial Access Campaign via OneNote files
In recent days there has been a increase in malicious OneNote files to deliver AsyncRAT. This query can be used to start a hunt for malicious files in your environment. The OneNote files have to be delivered by mail and have to be opened in order to pop-up in the results of this query. This will indicate that a user has opened the attachment from the mail. From there a investigation needs to be started to determin if the file is benign or malicious.
ATP Detection events triggered
Displays the *AtpDetection* events in CloudAppEvents.
Audit B2B Guest Devices Trust Type
Shouthout johannesblog.com for the idea
Audit Justifications for PIM Requests
This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks
Audit Logic Apps with Office365 Connections using Resource Query
Credit: santisq
Audit Mandatory Office Days using Advanced Hunting
Success only
Audit RBAC Changes Defender XDR
The query below can be used to monitor RBAC changes in Defender XDR. This query list additions, deletions and changes, if you only want to monitor specific actions you can enhance the query by filtering on the actiontype.
Audit User Marked as Compromised By Admin or App
Person who did the confirm Compromise. It may be an app
Audit User tries to change password to a non-complying password
use to tune threshold
Audit when PIM fails to remove an eligible member from role
Original Source: https://azurewithtom.com/posts/MSRC-Case-When-Temporary-Global-Admin-Rights-Don-t-Expire-in-Microsoft-Entra-PIM/
AutoIR High Impact Alert
This rule can be deployed in your environment as NRT rule to deal with high severity alerts. This detection can be mapped against the response actions to always contain an incident when Ransomware, Hands-on-keyboard or RunMRU is mentioned in the commandline. This rule can help to reduce the time to contain.
Automated investigation and response effectiveness
THis query only returns results if automated investigation and response is enabled in Defender For Office. The query is aimed to display the effectiveness of AIR, it could be that these automatic response actions fail, hence it is important to review these on a periodic basis.
Azure ARC Related Persistence Detection
This detection rule aims to identify the unexpected installation of Azure ARC agents. Peach Sandstorm has been known to register their own Azure tenant and install Azure ARC agents on devices to maintain persistence. The rule includes two queries: one for detecting service installations and another for identifying specific file path creations associated with Azure ARC agents.