EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

TTP Detection Rule: PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Detection opportunity: Launching PowerShell scripts from **windowsapps** directory

T1059.001T1059
KQL

TTP Detection Rule: Suspicious network connection from MSBuild

Detection opportunity: MSBuild without commands

T1127.001T1562.001T1562
KQL

Typosquatted Email Received

Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the *TypoSquatMin* and *TypoSquatMax*, these values represent the percentage of how many unicode characters match.

T1566
KQL

UEBA - Find Onpremise users with Password Not Required

Requires UEBA to be setup

KQL

Unsigned script execution enabled for live response

KQL

Unusual Software Certificate Detection

This query looks for software certificates with low prevalence

KQL

USB_Data_Exfiltration

Set the amount of days to monitor

KQL

User Account Deletion

Lists the deleted users based on EventId 4726.

KQL

User added to sensitive group

In order to gain high priviliges an adversary can add themselfs to groups with high priviliges. Those priviliges allow the adversary to perform almost every action in your environment. This query is currently only used to detect three different sensitive groups, however other (custom) groups can be added to the list with sensitive groups.

T1078.002T1078
KQL

User Deleted from Entra

replace_string(tostring(TargetResources[0].userPrincipalName),TargetId,'')

KQL

User Risk Visualization last 90 days

This visualization list the User Risk Events that have triggered in the last 90 days. The count per day is classified by the RiskEventType, those can amongs others be:

KQL

View data on software identified as affected by Nobelium campaign

This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.

KQL

Visualise Time Of Last Password Reset

Visualise the time of which a password reset has last taken place, the information is grouped in buckets of 10 days. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.

KQL

Visualization authentication Methods Used

This visualisation shows the authentication methods that have been used based on the selected TimeFrame.

KQL

Visualization of successful PIM activiations

This query visualises the PIM activation performed by accounts. A user who has used many different PIM roles may be interesting to examine, it could be that a users always asigns their PIM access rights without needing them all the time. The same goes for PIM roles with high privileges.

KQL

Visualization SignIn Failures due to Conditional Access Policy

This visualisation will return the failure types that occur in your tenant that are related to any conditional access failure. This can be used to deterime which failures are related to a policy and if strange activity is being performed or if a policy needs to be tuned in a specific manner.

KQL

Visualize Malware Detection Reasons

This query visualizes the malware detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.

KQL

Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents

This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.

KQL

Visualize MITRE ATT&CK Techniques on triggered Sentinel incidents

This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic and technique. This will give an overview of the amount of techniques that have been triggered for each MITRE ATT&CK tactic. This can give an indication if specific techniques trigger a lot of incidents.

KQL

Visualize Phishing Detection Reasons

This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.

KQL

Visualize the daily events for each table

In MDE or Sentinel there are plenty of tables that generate logs, in order to determine which tables ingest the most logs the queries below can be used. The *TimeRange* variable can be used to select the timerange for your visualization.

KQL

Visualize the daily incident triggers

Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.

KQL

Visualize the Threat Intelligence Indicators by day for the last 30 days

This query visualizes the amount of IOCs that have triggerd each day for the last 30 days in a timechart. This could indicate spikes in malicious activities by users or give intsights in the value of Threat Intelligence feeds.

KQL

Visualize the Threat Intelligence Indicators last 30 days

This query visualizes the IOCs that have triggerd in the last 30 days. That can for example be Domains, IPs or URLs. THe resuls are rendered in a Piechart.

KQL
PreviousPage 24 of 25Next