EXPLORE DETECTIONS
Detect web server exploitation by DoublePulsar
This query was originally published in the threat analytics report, *Motivated miners*.
Detect when an account has been changed in order for the password to never expire
In Active Directory a password can be set so that it will never expire. This is normaly not desirable, because a password should be changed every x period. This query detects when a useraccount is set to Account Password Never Expires.
Detect when AnyDesk makes a remote connection
List devices from which AnyDesk makes a remote connection.
Detect when multiple Qakbot post compromise commands have been executed
Detect when multiple Qakbot post compromise commands have been executed.
Detecting a JAR attachment
This query was originally published in the threat analytics report, *Adwind utilizes Java for cross-platform impact*.
Detection Enrichment - Entra Group Membership Enriched
Sentinel Data Lake job to put an aggregated table of group memberships in LAW for filtering/enrichment in detections and automations.
Detection Enrichment - Entra User
Sentinel Data Lake job to put an aggregated table of entra users in LAW for filtering/enrichment in detections and automations.
Detects KillNets Ransomware note and the file extension that has been used to encrypt files
Detects KillNets Ransomware note and the file extension that has been used to encrypt files.
Detects malicious SMB Named Pipes (used by common C2 frameworks)
Detects the creation of a [named pipe](https://docs.microsoft.com/en-US/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c) used by known APT malware.
Device Alerts
This query lists all the alerts that have triggered based on a specific UPN in the selected *TimeFrame*.
Device Alerts
This query lists all the alerts that have triggered from a specific device in the selected *TimeFrame*.
Device ATP Tampering Detection
This query detects attempts to tamper with ATP settings
Device congifuration not compliant
----
Device Deleted from Entra
replace_string(tostring(TargetResources[0].userPrincipalName),TargetId,'')
Device EDR settings are not compliant
----
Device Removed From Isolation
This query lists all the devices that are removed from isolation activities that have been performed by Defender For Endpoint. It is good practice to review those once every x period. The query extracts multiple events from the removal action, such as which device is isolated, what isolation comment has been used and the type of isolation that has been executed. The removal action is enriched with the original isolation information to return an overview of why the device has been isolated, by who and why it is removed from isolation and who initated the action.
DeviceEvents - AppLocker Events
or ActionType startswith "AppControl" //for WDAC
DeviceNetworkEvents Blocklist Project Hits
This query checks network traffic against multiple blocklists from the Blocklist Project
Devices with a recent vulnerability that is exploitable
----
Devices with High severity CVEs with exploits available
join gives us isexploitavailable column
Devices with the most known exploited vulnerabilities
Devices with the most known exploited vulnerabilities
Devices with the most SMB connections
List all devices with the amount of SMB sessions they have.
DigitalSide Threat-Intel suspicious and/or malicious domains
```KQL
DigitalSide Threat-Intel suspicious and/or malicious IP addresses
```KQL