EXPLORE DETECTIONS

Top N Accounts Longest Period Without Password Reset

List the top N (based on *LatestNChanges*) with the longest time between now and their last password reset. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.

Tor Connections

While Tor has legitimate uses for protecting personal privacy and circumventing censorship, it is often unwanted that connections are being made to Tor nodes. Detecting connections to Tor nodes can be done using the dynamic IP list of Tor nodes provided by [dan.me.uk](https://www.dan.me.uk/), this will allow you to query the most recent nodes each time the query is executed.

Total Device Risk Score

Scoring for the CVEs

Total Events by Table

This query returns a table that shows the number of events for each data table that occurred in the last 30 days. This can returns information about the totalevens in all your Sentinel tables. Since you probably ingest more in Sentinel than you know, this query can result in discovering 'new' data sources to investigate.

Total SMB Sessions Created by a suspicious device

Total SMB Sessions Created by a suspicious device

Total SMB Sessions Created by FileName

Total SMB Sessions Created by FileName

Total Succesful Sign-Ins by Browser

This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.

Total Succesful Sign-Ins by Operating System

This query can be used to detect rare operating systems that are used to sign into your tenant. For example your company only has Windows company devices and you have sign ins with MacOS, those can ben intersting to investigate.

Total vulnerable devices for known exploited vulnerabilities from CISA

----

Triggers when a know ransomware note is found

This query triggers when a known ransomware note is found.

Triggers when a known ransomware extension has been found

This query triggers when a file with a known ransomware extension has been found.

Triggers when a remote public SBM connection has been found

Triggers when a remote public SBM connection has been found

Triggers when a user performs a SmartScreen Override action

This query lists all SmartScreen override related events.

TrustedInstaller Abuse Detection

This query detects attempts to become TrustedInstaller

TTP Detection Rule: Abusing PowerShell to disable Defender components

Detection opportunity: Abusing PowerShell to disable Defender components

TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns

This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system.

TTP Detection Rule: NetSupport running from unexpected directory (FIN7)

Detection opportunity: NetSupport running from unexpected directory

TTP Detection Rule: PowerShell -encodedcommand switch

Detection opportunity 4: PowerShell -encodedcommand switch

TTP Detection Rule: PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Detection opportunity: Launching PowerShell scripts from **windowsapps** directory

TTP Detection Rule: Suspicious network connection from MSBuild

Detection opportunity: MSBuild without commands

Typosquatted Email Received

Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the *TypoSquatMin* and *TypoSquatMax*, these values represent the percentage of how many unicode characters match.

UEBA - Find Onpremise users with Password Not Required

Requires UEBA to be setup

Unsigned script execution enabled for live response

Unusual Software Certificate Detection

This query looks for software certificates with low prevalence