EXPLORE DETECTIONS
USB_Data_Exfiltration
Set the amount of days to monitor
User Account Deletion
Lists the deleted users based on EventId 4726.
User added to sensitive group
In order to gain high priviliges an adversary can add themselfs to groups with high priviliges. Those priviliges allow the adversary to perform almost every action in your environment. This query is currently only used to detect three different sensitive groups, however other (custom) groups can be added to the list with sensitive groups.
User Deleted from Entra
replace_string(tostring(TargetResources[0].userPrincipalName),TargetId,'')
User Risk Visualization last 90 days
This visualization list the User Risk Events that have triggered in the last 90 days. The count per day is classified by the RiskEventType, those can amongs others be:
View data on software identified as affected by Nobelium campaign
This query was originally published in the threat analytics report, *Solorigate supply chain attack*. Please note that these attacks are currently known as the *Nobelium campaign*.
Visualise Time Of Last Password Reset
Visualise the time of which a password reset has last taken place, the information is grouped in buckets of 10 days. While password expiration requirements do more harm than good it is still recommended to take a look at the accounts from which the password has not changed for years. This is due to the changes in the password policy, if the policy has been changed after the latest password change of that account is it likely that the account does not adhere to the currenct password policy. Every next password policy is in most cases an improvement, therefore it is expected that accounts that have not changed their password after the latest policy update do not meet the current complexity requirements.
Visualization authentication Methods Used
This visualisation shows the authentication methods that have been used based on the selected TimeFrame.
Visualization of successful PIM activiations
This query visualises the PIM activation performed by accounts. A user who has used many different PIM roles may be interesting to examine, it could be that a users always asigns their PIM access rights without needing them all the time. The same goes for PIM roles with high privileges.
Visualization SignIn Failures due to Conditional Access Policy
This visualisation will return the failure types that occur in your tenant that are related to any conditional access failure. This can be used to deterime which failures are related to a policy and if strange activity is being performed or if a policy needs to be tuned in a specific manner.
Visualize Malware Detection Reasons
This query visualizes the malware detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.
Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.
Visualize MITRE ATT&CK Techniques on triggered Sentinel incidents
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic and technique. This will give an overview of the amount of techniques that have been triggered for each MITRE ATT&CK tactic. This can give an indication if specific techniques trigger a lot of incidents.
Visualize Phishing Detection Reasons
This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.
Visualize the daily events for each table
In MDE or Sentinel there are plenty of tables that generate logs, in order to determine which tables ingest the most logs the queries below can be used. The *TimeRange* variable can be used to select the timerange for your visualization.
Visualize the daily incident triggers
Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.
Visualize the Threat Intelligence Indicators by day for the last 30 days
This query visualizes the amount of IOCs that have triggerd each day for the last 30 days in a timechart. This could indicate spikes in malicious activities by users or give intsights in the value of Threat Intelligence feeds.
Visualize the Threat Intelligence Indicators last 30 days
This query visualizes the IOCs that have triggerd in the last 30 days. That can for example be Domains, IPs or URLs. THe resuls are rendered in a Piechart.
Vulnerabilities visualized in a Piechart
----
Vulnerabilities Year To Date CISA KEV
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.
Vulnerabilities Year To Date CISA KEV Edge Devices
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.
Vulnerabilities Year To Date CISA KEV Products
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.
Vulnerabilities Year To Date CISA KEV Release Year
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by year when the vulnerability was released.
WDAC App Control Collect Data for App Control Manager
See https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Use-Microsoft-Defender-for-Endpoint-Advanced-Hunting-With-WDAC-App-Control#collecting-the-data-from-mde-advanced-hunting