EXPLORE DETECTIONS
VM Creation using Azure Activity
Could be useful as part of rogue VM creation hunting, could add queries to check the tags and ensure is compliant with Org Tagging
Vulnerabilities visualized in a Piechart
----
Vulnerabilities Year To Date CISA KEV
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.
Vulnerabilities Year To Date CISA KEV Edge Devices
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.
Vulnerabilities Year To Date CISA KEV Products
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.
Vulnerabilities Year To Date CISA KEV Release Year
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by year when the vulnerability was released.
WDAC App Control Collect Data for App Control Manager
See https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Use-Microsoft-Defender-for-Endpoint-Advanced-Hunting-With-WDAC-App-Control#collecting-the-data-from-mde-advanced-hunting
Website Redirectors DeviceNetworkEvents
raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/WebsiteRedirectors.csv"] with (format="csv", ignoreFirstRecord=True);
Wevutil Clear Windows Event Logs
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security.
WiFi Password Dumping Detection
This query detects attempts to dump WiFi passwords in plain text from cmd
Zscalar IP Sign-in Check
Experimental, query needs optimization.
Zscaler Registry Tampering Detection
This query detects tampering of Zscaler registry keys for Start and State values