EXPLORE DETECTIONS
TTP Detection Rule: PowerShell Launching Scripts From WindowsApps Directory (FIN7)
Detection opportunity: Launching PowerShell scripts from **windowsapps** directory
TTP Detection Rule: Suspicious network connection from MSBuild
Detection opportunity: MSBuild without commands
Typosquatted Email Received
Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the *TypoSquatMin* and *TypoSquatMax*, these values represent the percentage of how many unicode characters match.
UEBA - Find Onpremise users with Password Not Required
Requires UEBA to be setup
Unsigned script execution enabled for live response
Unusual Software Certificate Detection
This query looks for software certificates with low prevalence
USB_Data_Exfiltration
Set the amount of days to monitor
User Account Deletion
Lists the deleted users based on EventId 4726.
User added to sensitive group
In order to gain high priviliges an adversary can add themselfs to groups with high priviliges. Those priviliges allow the adversary to perform almost every action in your environment. This query is currently only used to detect three different sensitive groups, however other (custom) groups can be added to the list with sensitive groups.
User Deleted from Entra
replace_string(tostring(TargetResources[0].userPrincipalName),TargetId,'')
User Risk Visualization last 90 days
This visualization list the User Risk Events that have triggered in the last 90 days. The count per day is classified by the RiskEventType, those can amongs others be:
View data on software identified as affected by Nobelium campaign
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Visualise Time Of Last Password Reset
Visualise the time of which a password reset has last taken place, the information is grouped in buckets of 10 days. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.
Visualization authentication Methods Used
This visualisation shows the authentication methods that have been used based on the selected TimeFrame.
Visualization of successful PIM activiations
This query visualises the PIM activation performed by accounts. A user who has used many different PIM roles may be interesting to examine, it could be that a users always asigns their PIM access rights without needing them all the time. The same goes for PIM roles with high privileges.
Visualization SignIn Failures due to Conditional Access Policy
This visualisation will return the failure types that occur in your tenant that are related to any conditional access failure. This can be used to deterime which failures are related to a policy and if strange activity is being performed or if a policy needs to be tuned in a specific manner.
Visualize Malware Detection Reasons
This query visualizes the malware detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.
Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.
Visualize MITRE ATT&CK Techniques on triggered Sentinel incidents
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic and technique. This will give an overview of the amount of techniques that have been triggered for each MITRE ATT&CK tactic. This can give an indication if specific techniques trigger a lot of incidents.
Visualize Phishing Detection Reasons
This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.
Visualize the daily events for each table
In MDE or Sentinel there are plenty of tables that generate logs, in order to determine which tables ingest the most logs the queries below can be used. The *TimeRange* variable can be used to select the timerange for your visualization.
Visualize the daily incident triggers
Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.
Visualize the Threat Intelligence Indicators by day for the last 30 days
This query visualizes the amount of IOCs that have triggerd each day for the last 30 days in a timechart. This could indicate spikes in malicious activities by users or give intsights in the value of Threat Intelligence feeds.
Visualize the Threat Intelligence Indicators last 30 days
This query visualizes the IOCs that have triggerd in the last 30 days. That can for example be Domains, IPs or URLs. THe resuls are rendered in a Piechart.