EXPLORE DETECTIONS
Sign Ins by UserAgent
This query can be used to detect rare UserAgents that are used to sign into your tenant. Those rare UserAgents can be used for malicious acces into your tenant.
SignIn From Suspicious IP
This query combines threat intelligence feeds with Entra ID sign-in information.
SignInLogs - B2B Access Restrictions
| where ResultType != 0
SignIns with Country Name
raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/refs/heads/master/all/all.csv'] with (format=csv, ignoreFirstRecord=True);
SLA Time To Respond
The query below can be used to validate if the agreed SLA for time to respond is met by your analysts. The query used a datatable *SLA_Variables* that you can adjust to your time to responde (minutes).
Sliver C2 Beacon Loaded
A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.
Smoke Sandstorm - SnailResin and SlugResin Infection Detection
SlugResin infection involves the use of a legitimate file to load a malicious binary through DLL search order hijacking, delivering the SlugResin backdoor onto the target's device. This backdoor grants the actor access to the compromised device, potentially leading to further malicious activities like malware deployment, credential theft, privilege escalation, and lateral movement. The infection involves a two-stage process with the SnailResin loader and SlugResin backdoor, both associated with the Smoke Sandstorm threat group. The infection chain includes the use of a zip file ("bringthemhome.zip") containing malicious DLL files and a benign executable, which leads to the execution of the backdoor and establishment of a command-and-control connection.
Software Download Sites DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/SoftwarePackersOrSoftwareDownloadProxySites.csv"] with (format="csv", ignoreFirstRecord=True);
SQL Server abuse
This query was originally published in the threat analytics report, **SQL Server abuse**.
Statistics Graph API runHuntingQuery
This query lists the statistics for the objects that used the *runHuntingQuery* API call using the Graph API. This can help determine which applications access your security data and identify new applications that connect to this Graph API endpoint.
Statistics LOLBIN usage
List the the statistics of LOLBINS that have been executed. Mostly the rare lolbins are most interesting to why and whom executed them. The list of LOLBINS is based on the lolbas project.
Statistics onboarded devices (OS)
This query lists how many devices have been onboarded per operating system.
Storm-0539 AiTM URLs - EmailEvents
Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:
Streaming Sites - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/streaming-sites.csv"] with (format="csv", ignoreFirstRecord=True);
Successful device code sign-in
**Note!!** if you ingest AADSignInEventsBeta or SigninLogs do not use this query.
Successful device code sign-in from unmanaged device
This query lists successful Entra ID sign-ins were device code authentication is used from an unmanaged device. This means that a device which is not managed by your organization has succesfully met the conditions to sign-in to your tenant using a managment API In addition you can filter on the previously set conditions in combination with a risk during sign-in to filter on cases that may have more priority.
Successful join of fake device using ROPC (query by @goldjg)
Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg
Successful sign-in from suspicious user agent
This detection identifies successful Azure AD/Entra ID sign-ins for a specific UPN where the user agent string matches a list of suspicious or tool-based user agents (such as `python-requests`, `Go-http-client`, or `azurehound`). It filters for successful sign-ins (`ErrorCode == 0`) by the target account and highlights sign-ins performed via known credential validation tools or phishinkits.
Successful signin from new country
This query detects successful signins from countries that have not been seen before. Depending on where you run this query the lookback period is different, M365D uses 30 days and Sentinel uses 90 days. If you have longer retention periods it is recommended to use longer thresholds.
summarizing user searches outside of normal working hours that contains sensitive keywords (CISA)
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
Summary Rules - Entra Assigned Roles Report
This summary rule focusses on the assigned roles of users. The results of the summary rule can again be used to get insights into specific users, to for example see if their roles increase or decrease overtime. These results can also serve as input for reporting on role assignments.
Summary Rules - Entra Group Membership Report
This summary rule focusses on the group memberships of users. The results of the summary rule can again be used to get insights into specific users, to for example see if their memberships increase or decrease overtime. These results can also serve as input for reporting on group memberships
Summary Rules - Unique Actions
This summary rule saves all unique actions and how often they appear in your environment to the custom table or your choice.
Supisicous Named Piped Event
Named Pipes can be used to detect the execution of malicious software in your environment. Some software uses a standardized approach for Named Pipes, because of that they can serveas indicator.