EXPLORE DETECTIONS

Change Conditional Access Policy

This KQL query lists all conditional access policies that have been changed. The modification of authentication processes can be used to create persistence on an cloud account.

CISA Known Exploited Vulnerabilities Visualization

The CISA has made an active list were the current exploited vulnerabilities are listed, this query visualizes the the number of vulnerable devices per CVEId. This can help prioritize the vulnerabilities that need patching.

ClickFix Triage Query

To efficiently triage ClickFix incidents the *ClickFix Triage KQL Query* below is developed. The KQL query has the following input:

ClickFix Triage Query

To efficiently triage ClickFix incidents the *ClickFix Triage KQL Query* below is developed. The KQL query has the following input:

Cloud Discovery Performed by User At Risk

This query detects discovery events that have been performed by a user at risk, this is done based on the subset DiscoveryEvents. You can add other items to the list if you feel the need to do so, because the list is currently limited. If you think additions are needed please raise a pull request.

Cloud Persistence Activities by User At Risk

This query detects Persistence events that have been performed by a user at risk, this is done based on the subset PersistenceEvents. You can add other items to the list if you feel the need to do so, because the list is currently limited. If you think additions are needed please raise a pull request.

CloudWorker Abuse Detection

This query detects network connections to known malicious Cloudflare workers

CockLi Abused Email Provider

raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/cockli-abused-Email-domains.txt'] with (format=csv, ignoreFirstRecord=False);

Command and control associated with privilege escalation vulnerability, CVE-2019-0808

This query was originally published in the threat analytics report, *Windows 7 zero-day for CVE-2019-0808*

Commandline Group Addition

This query is aimed to detect users that are added to a group via the commandline. Adding users to a group via the commandline is a common technique used by adversaries to gain additional permissions on systems/the domain.

Commandline User Addition

This query is aimed to detect users that are added via the commandline. Adding users via the commandline is a common technique used by adversaries to gain persistence on systems. Some examples of commandlines used by aderveraries are shown below.

Commandlines with cleartext passwords

Adversaries may search compromised systems to find and obtain insecurely stored credentials. It is best practice to not have unsecured credentials in use, therefore this query can help you to list accounts that use passwords on the commandline. Commandlines are often logged for various reasons, thus also accessible for adversaries. This query can guide you to which user use cleartext passwords on the commandline by providing the TotalExecutions, UniqueCommands, Commandlines, UniqueUsers and Usernames for each device.

Comparison between devices in Intune and MDE

This query lists the devices that are onboarded in Intune and classifies them based on the status of Defender For Endpoint. You can select your own *SearchPeriod* in this query. The MDE data is based on a process activities seen in the search window, if that is the case then the device is classified as *MDE Onboarded*. This can help determine which devices have not yet been onboarded to MDE.

Compromised certificate [Nobelium]

Search for the files that are using a compromised certificate associated with the Nobelium campaign.

Conditional Access Policy Addition

This KQL query lists all conditional access policies that have been added.

Confluence and WebLogic servers targeted by campaign

This query was originally published in the threat analytics report, *Confluence and WebLogic abuse*.

Connected PnP types

List the different Plug and Play (PnP) device types that are used in your organisation. The results are sorted by the total ammount of events seen for each type.

Connections to abused TLDs - DeviceNetworkEvents

Get spamhaus TLD list

Consumer VPN Domains - DeviceNetworkEvents

raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Consumer%20VPNs.csv"] with (format="csv", ignoreFirstRecord=True);

Copilot Models Used

This query renders a Piechart based on the models used by Copilot interactions in your environment.

Creation of new Azure Tenant

Creation of spoof directories with Unicode characters

Custom detection for the creation of spoof directories with Unicode characters

Credential harvesting through WDigest cache

This query was originally published in the threat analytics report, *WDigest credential harvesting*.

Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Nobelium]

Credentials were added to an application by UserA, after the application was granted admin consent rights by UserB