EXPLORE DETECTIONS
Senstive Large File Uploads using CloudAppEvents
Set threshold to alert on uploads above this size in GB
Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added
This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).
Sentinel Incident Deletions
We may want to monitor if a sentinel incident has been deleted
Sentinel Workspace Disconnected
This query returns results if Sentinel workspaces have been removed from Unified XDR. These activities should be monitored to make sure that sentinel environments are not by mistakenly or purposely removed from your XDR environment.
ServicePrincipalAddedToRole [Nobelium]
One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role.
Set Persistence using Event Viewer Microsoft Redirection Program
Ref:https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
Sign Ins by UserAgent
This query can be used to detect rare UserAgents that are used to sign into your tenant. Those rare UserAgents can be used for malicious acces into your tenant.
SignIn From Suspicious IP
This query combines threat intelligence feeds with Entra ID sign-in information.
SignInLogs - B2B Access Restrictions
| where ResultType != 0
SignIns with Country Name
raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/refs/heads/master/all/all.csv'] with (format=csv, ignoreFirstRecord=True);
SLA Time To Respond
The query below can be used to validate if the agreed SLA for time to respond is met by your analysts. The query used a datatable *SLA_Variables* that you can adjust to your time to responde (minutes).
Sliver C2 Beacon Loaded
A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.
Smoke Sandstorm - SnailResin and SlugResin Infection Detection
SlugResin infection involves the use of a legitimate file to load a malicious binary through DLL search order hijacking, delivering the SlugResin backdoor onto the target's device. This backdoor grants the actor access to the compromised device, potentially leading to further malicious activities like malware deployment, credential theft, privilege escalation, and lateral movement. The infection involves a two-stage process with the SnailResin loader and SlugResin backdoor, both associated with the Smoke Sandstorm threat group. The infection chain includes the use of a zip file ("bringthemhome.zip") containing malicious DLL files and a benign executable, which leads to the execution of the backdoor and establishment of a command-and-control connection.
Software Download Sites DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/SoftwarePackersOrSoftwareDownloadProxySites.csv"] with (format="csv", ignoreFirstRecord=True);
SQL Server abuse
This query was originally published in the threat analytics report, **SQL Server abuse**.
Statistics Graph API runHuntingQuery
This query lists the statistics for the objects that used the *runHuntingQuery* API call using the Graph API. This can help determine which applications access your security data and identify new applications that connect to this Graph API endpoint.
Statistics LOLBIN usage
List the the statistics of LOLBINS that have been executed. Mostly the rare lolbins are most interesting to why and whom executed them. The list of LOLBINS is based on the lolbas project.
Statistics onboarded devices (OS)
This query lists how many devices have been onboarded per operating system.
Storm-0539 AiTM URLs - EmailEvents
Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:
Streaming Sites - DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/streaming-sites.csv"] with (format="csv", ignoreFirstRecord=True);
Successful device code sign-in
**Note!!** if you ingest AADSignInEventsBeta or SigninLogs do not use this query.
Successful device code sign-in from unmanaged device
This query lists successful Entra ID sign-ins were device code authentication is used from an unmanaged device. This means that a device which is not managed by your organization has succesfully met the conditions to sign-in to your tenant using a managment API In addition you can filter on the previously set conditions in combination with a risk during sign-in to filter on cases that may have more priority.
Successful join of fake device using ROPC (query by @goldjg)
Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg
Successful sign-in from suspicious user agent
This detection identifies successful Azure AD/Entra ID sign-ins for a specific UPN where the user agent string matches a list of suspicious or tool-based user agents (such as `python-requests`, `Go-http-client`, or `azurehound`). It filters for successful sign-ins (`ErrorCode == 0`) by the target account and highlights sign-ins performed via known credential validation tools or phishinkits.