EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

Tomcat 8 process executing PowerShell command line to perform data exploitation activities and setting up scheduler tasks.

This query was originally published in the threat analytics report, *Sysrv botnet evolution*.

KQL

Top 10 devices with the most exploitable vulnerabilities

This query lists the 10 devices in your tenant with the most exploitable vulnerabilities.

KQL

Top 10 users with the most ips used to succesfully sign in

Collect the top 10 user with the most IP used to succefully sign in to a tenant. This query displays the 10 users that have used the most IP addresses so sign in.

KQL

Top 100 critical browser extensions with the most permissions required

----

KQL

Top 100 devices with the most browser extensions installed

----

KQL

Top 100 users that have the most interactive sign ins

Visualize the top 100 users that have performed the most interactive sign ins.

KQL

Top N Accounts Longest Period Without Password Reset

List the top N (based on *LatestNChanges*) with the longest time between now and their last password reset. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.

KQL

Tor Connections

While Tor has legitimate uses for protecting personal privacy and circumventing censorship, it is often unwanted that connections are being made to Tor nodes. Detecting connections to Tor nodes can be done using the dynamic IP list of Tor nodes provided by [dan.me.uk](https://www.dan.me.uk/), this will allow you to query the most recent nodes each time the query is executed.

KQL

Total Device Risk Score

Scoring for the CVEs

KQL

Total Events by Table

This query returns a table that shows the number of events for each data table that occurred in the last 30 days. This can returns information about the totalevens in all your Sentinel tables. Since you probably ingest more in Sentinel than you know, this query can result in discovering 'new' data sources to investigate.

KQL

Total SMB Sessions Created by a suspicious device

Total SMB Sessions Created by a suspicious device

KQL

Total SMB Sessions Created by FileName

Total SMB Sessions Created by FileName

KQL

Total Succesful Sign-Ins by Browser

This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.

KQL

Total Succesful Sign-Ins by Operating System

This query can be used to detect rare operating systems that are used to sign into your tenant. For example your company only has Windows company devices and you have sign ins with MacOS, those can ben intersting to investigate.

KQL

Total vulnerable devices for known exploited vulnerabilities from CISA

----

KQL

Triggers when a know ransomware note is found

This query triggers when a known ransomware note is found.

KQL

Triggers when a known ransomware extension has been found

This query triggers when a file with a known ransomware extension has been found.

T1486
KQL

Triggers when a remote public SBM connection has been found

Triggers when a remote public SBM connection has been found

KQL

Triggers when a user performs a SmartScreen Override action

This query lists all SmartScreen override related events.

KQL

TrustedInstaller Abuse Detection

This query detects attempts to become TrustedInstaller

KQL

TTP Detection Rule: Abusing PowerShell to disable Defender components

Detection opportunity: Abusing PowerShell to disable Defender components

T1562.001T1562
KQL

TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns

This detection rule focuses on identifying phishing emails that potentially use the InterPlanetary File System (IPFS) to host malicious content. The usage of IPFS in phishing campaigns is a sophisticated technique as it can bypass conventional security measures. The rule involves checking for subsequent connections to IPFS-hosted sites, which could indicate the execution of a phishing attack utilizing this decentralized file hosting system.

T1566.002T1566
KQL

TTP Detection Rule: NetSupport running from unexpected directory (FIN7)

Detection opportunity: NetSupport running from unexpected directory

T1219
KQL

TTP Detection Rule: PowerShell -encodedcommand switch

Detection opportunity 4: PowerShell -encodedcommand switch

T1027.010T1027
KQL
PreviousPage 23 of 25Next