EXPLORE DETECTIONS
Remote Management Tools (RMM) - DeviceNetworkEvents Domains
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/RMM.csv"] with (format="csv", ignoreFirstRecord=True);
Request an actor token for graph.windows.net using Service to Service (S2S)
Ref: https://i.blackhat.com/BH-USA-25/Presentations/US-25-Mollema-Advanced-AD-to-Entra-ID-lateral-movement-techniques-Wednesday.pdf
Resource Lock Deletion for Azure Monitor Rule
Attempts to Delete Resource Locks on Azure Monitor Rules for a particular subscription and Resource group. KQL from https://www.linkedin.com/pulse/main-reason-you-shouldnt-exclude-break-glass-group-access-kerai-4dtve/
Return backup files deletion events
This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/).
Reverse shell associated with ransomware on macOS
This query was originally published in the threat analytics report, *EvilQuest signals the rise of Mac ransomware*.
Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Risk Based Step Up Consent (RBSU) for Application
Risk Based Step up flow to Admin Flow. This will log even if the permissions being requested are already admin consentable.
Risky Sign-in Keyword Search (CISA)
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
RMM Tools with connections
This query used the [LOLRMM](https://lolrmm.io/) API to fetch all filenames related to RMM tools. Based on the executable filenames it looks into all the *DeviceNetworkEvents* to find RMM tools that have made successful connections, indicating that the tool is used within your environment.
Role Report
This query can be used to draw an report of the Entra ID role memberships for all users.
ROSTI (Repackaged Open Source Intelligence) MDE File Events IOC Hits
Looks for SHA256 hits from the ROSTI Feed
ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits
Looks for Network Traffic hits from the ROSTI Feed
Safe Links Email URL Block Trigger
This query lists the emails that have triggered a URL block by safelinks. This is done by collecting the safelinks logs where the action is ClickBlocked and then joining the email events to collect the information about the mail that was send. The URL click of the user will also generate a indincident itself, this enriches the information required to investigate this incident.
Safeboot Registry Modification Detection
This query detects modifications to safeboot registry keys
Scheduled Tasks from AppData Created or Updated
This query detects scheduled tasks that are created or updated with executables or scripts located in the `AppData` directory (including `%localappdata%` and `%appdata%`). This is a common technique used by malware and attackers to persist on a system without requiring administrative privileges. OneDrive-related tasks are excluded as a known false positive.
Security Alerts triggered by users at risk
This query identifies the users that are currently at risk. Based on that it performs a lookup on the security alerts that have been triggered with that user as entity. This can indicate that a useraccount has been compromised, because it has peformed risky sign in activities as well as malicious activities defined by security products or custom detection rules.
Security Copilot Agent Deleted
When an agent is removed from Entra, the agentic user behind the identity is also removed
Self-deletion by Qakbot malware
This query was originally published in the threat analytics report, *Qakbot blight lingers, seeds ransomware*
Senstive Large File Uploads using CloudAppEvents
Set threshold to alert on uploads above this size in GB
Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added
This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).
Sentinel Incident Deletions
We may want to monitor if a sentinel incident has been deleted
Sentinel Workspace Disconnected
This query returns results if Sentinel workspaces have been removed from Unified XDR. These activities should be monitored to make sure that sentinel environments are not by mistakenly or purposely removed from your XDR environment.
ServicePrincipalAddedToRole [Nobelium]
One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role.
Set Persistence using Event Viewer Microsoft Redirection Program
Ref:https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/