EXPLORE

EXPLORE DETECTIONS

🔍
588 detections found

VM Creation using Azure Activity

Could be useful as part of rogue VM creation hunting, could add queries to check the tags and ensure is compliant with Org Tagging

KQL

Vulnerabilities visualized in a Piechart

----

KQL

Vulnerabilities Year To Date CISA KEV

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

KQL

Vulnerabilities Year To Date CISA KEV Edge Devices

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.

KQL

Vulnerabilities Year To Date CISA KEV Products

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

KQL

Vulnerabilities Year To Date CISA KEV Release Year

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by year when the vulnerability was released.

KQL

WDAC App Control Collect Data for App Control Manager

See https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Use-Microsoft-Defender-for-Endpoint-Advanced-Hunting-With-WDAC-App-Control#collecting-the-data-from-mde-advanced-hunting

KQL

Website Redirectors DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/WebsiteRedirectors.csv"] with (format="csv", ignoreFirstRecord=True);

KQL

Wevutil Clear Windows Event Logs

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security.

T1070.001T1070
KQL

WiFi Password Dumping Detection

This query detects attempts to dump WiFi passwords in plain text from cmd

KQL

Zscalar IP Sign-in Check

Experimental, query needs optimization.

KQL

Zscaler Registry Tampering Detection

This query detects tampering of Zscaler registry keys for Start and State values

KQL
PreviousPage 25 of 25