EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

Senstive Large File Uploads using CloudAppEvents

Set threshold to alert on uploads above this size in GB

KQL

Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added

This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).

KQL

Sentinel Incident Deletions

We may want to monitor if a sentinel incident has been deleted

KQL

Sentinel Workspace Disconnected

This query returns results if Sentinel workspaces have been removed from Unified XDR. These activities should be monitored to make sure that sentinel environments are not by mistakenly or purposely removed from your XDR environment.

T1562.008T1562
KQL

ServicePrincipalAddedToRole [Nobelium]

One of the indicators of compromise for the Nobelium (formerly Solorigate) campaign was that unexpected service principals have been added to privileged roles. This query looks for service principals that have been added to any role.

KQL

Set Persistence using Event Viewer Microsoft Redirection Program

Ref:https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/

KQL

Sign Ins by UserAgent

This query can be used to detect rare UserAgents that are used to sign into your tenant. Those rare UserAgents can be used for malicious acces into your tenant.

KQL

SignIn From Suspicious IP

This query combines threat intelligence feeds with Entra ID sign-in information.

KQL

SignInLogs - B2B Access Restrictions

| where ResultType != 0

KQL

SignIns with Country Name

raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/refs/heads/master/all/all.csv'] with (format=csv, ignoreFirstRecord=True);

KQL

SLA Time To Respond

The query below can be used to validate if the agreed SLA for time to respond is met by your analysts. The query used a datatable *SLA_Variables* that you can adjust to your time to responde (minutes).

KQL

Sliver C2 Beacon Loaded

A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.

T1134.002T1071
KQL

Smoke Sandstorm - SnailResin and SlugResin Infection Detection

SlugResin infection involves the use of a legitimate file to load a malicious binary through DLL search order hijacking, delivering the SlugResin backdoor onto the target's device. This backdoor grants the actor access to the compromised device, potentially leading to further malicious activities like malware deployment, credential theft, privilege escalation, and lateral movement. The infection involves a two-stage process with the SnailResin loader and SlugResin backdoor, both associated with the Smoke Sandstorm threat group. The infection chain includes the use of a zip file ("bringthemhome.zip") containing malicious DLL files and a benign executable, which leads to the execution of the backdoor and establishment of a command-and-control connection.

T1574.002T1059.003T1574T1059
KQL

Software Download Sites DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/SoftwarePackersOrSoftwareDownloadProxySites.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

SQL Server abuse

This query was originally published in the threat analytics report, **SQL Server abuse**.

KQL

Statistics Graph API runHuntingQuery

This query lists the statistics for the objects that used the *runHuntingQuery* API call using the Graph API. This can help determine which applications access your security data and identify new applications that connect to this Graph API endpoint.

KQL

Statistics LOLBIN usage

List the the statistics of LOLBINS that have been executed. Mostly the rare lolbins are most interesting to why and whom executed them. The list of LOLBINS is based on the lolbas project.

KQL

Statistics onboarded devices (OS)

This query lists how many devices have been onboarded per operating system.

KQL

Storm-0539 AiTM URLs - EmailEvents

Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:

T1557
KQL

Streaming Sites - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/streaming-sites.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

Successful device code sign-in

**Note!!** if you ingest AADSignInEventsBeta or SigninLogs do not use this query.

T1566.002T1566
KQL

Successful device code sign-in from unmanaged device

This query lists successful Entra ID sign-ins were device code authentication is used from an unmanaged device. This means that a device which is not managed by your organization has succesfully met the conditions to sign-in to your tenant using a managment API In addition you can filter on the previously set conditions in combination with a risk during sign-in to filter on cases that may have more priority.

T1566.002T1566
KQL

Successful join of fake device using ROPC (query by @goldjg)

Query written by Graham Gold https://www.linkedin.com/in/graham-gold/ - Github: @goldjg

KQL

Successful sign-in from suspicious user agent

This detection identifies successful Azure AD/Entra ID sign-ins for a specific UPN where the user agent string matches a list of suspicious or tool-based user agents (such as `python-requests`, `Go-http-client`, or `azurehound`). It filters for successful sign-ins (`ErrorCode == 0`) by the target account and highlights sign-ins performed via known credential validation tools or phishinkits.

T1078
KQL
PreviousPage 21 of 25Next