EXPLORE DETECTIONS
Successful signin from new country
This query detects successful signins from countries that have not been seen before. Depending on where you run this query the lookback period is different, M365D uses 30 days and Sentinel uses 90 days. If you have longer retention periods it is recommended to use longer thresholds.
summarizing user searches outside of normal working hours that contains sensitive keywords (CISA)
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
Summary Rules - Entra Assigned Roles Report
This summary rule focusses on the assigned roles of users. The results of the summary rule can again be used to get insights into specific users, to for example see if their roles increase or decrease overtime. These results can also serve as input for reporting on role assignments.
Summary Rules - Entra Group Membership Report
This summary rule focusses on the group memberships of users. The results of the summary rule can again be used to get insights into specific users, to for example see if their memberships increase or decrease overtime. These results can also serve as input for reporting on group memberships
Summary Rules - Unique Actions
This summary rule saves all unique actions and how often they appear in your environment to the custom table or your choice.
Supisicous Named Piped Event
Named Pipes can be used to detect the execution of malicious software in your environment. Some software uses a standardized approach for Named Pipes, because of that they can serveas indicator.
Suspicious Browser Child Process
This detection detects when a browser has a suspicious child process, this child process can execute/install commands and is often used to install malware on systems.
Suspicious Directory Sync Account Sign ins
This query detects suspicious sign-ins to on-premises directory sync account
Suspicious enumeration using Adfind tool
Attackers can use Adfind which is administrative tool to gather information about domain controllers or ADFS servers. They may also rename executables with other benign tools on the system.
Suspicious Explorer Child Process
This detection detects when explorer has suspicious child process and the commandline contains suspicious parameters, this child process can execute/install commands and is often used to install malware on systems.
Suspicious File Extension Upload to Office 365
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/SuspiciousFileExtensions.txt"] with (format="txt", ignoreFirstRecord=False);
Suspicious MSBuild Remote Thread
Adversaries may use MSBuild.exe to execute/build code through a trusted windows lolbin. In this specific scenario a suspicious MSBuild remote threat is created which indicates Command & Control traffic or Reverse Shell activities.
Suspicious RUNMRU Entry
This query should be implemented as custom detection, it triggers once a Suspicious Windows RUNMRU entry found on a device. These RUNMRU entries are one of the key indicators for ClickFix.
Task creation associated with privilege escalation vulnerability, CVE-2019-0808
This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*
Temporary Email Addresses
raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);
The art of Knowing Your SIEM & XDR Data
This learning section was part of the Demo for ExpertsLive Netherlands 2024.
Threat Hunting Cisco Yanluowang Ransomware IOCs
Actor: Yanluowang
Threat Hunting for inbound connections from malicious IPs on internet facing devices
This query leverages the internet-facing property in Defender For Endpoint logs. This information is enriched with Threat Intelligence IP information to find inbound connections on public-facing devices from suspicious IP addresses. The query only lists results if the port that is used matches the port that is open on the device. In this scenario IPSums level 4 is used, to reduce the false positive number, you could use higher levels:
Threat Hunting for telegram as a Commmand & Control channel
Telegram can be used as a C2 channel, this can be done by leveraging the Telegram API. Multiple actors have used this in the wild, also for exfiltration methods (see references). With this detection rule we focus on the api if telegram (api.telegram.org).
Threat Hunting Nighthawk RAT
IOC Source: https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar
Threat Intelligence Threat Types
The query can be used to visualize the different threat types you get from the MDTI connector to Sentinel. Some examples coult be botnet, phishing, MaliciousUrl or from a watchlist. This query can only be used in Sentinel.
Threatview Domain High Confidence Feed
```KQL
Threatview IP High Confidence Feed
```KQL
TLD by Count for DeviceNetworkEvents
Remove start and end of URL