EXPLORE DETECTIONS
Disabled Account Attack Disruption
Attack disruption disabled a cloud/hybrid account due to suspicious activities. The query lists the accounts that have been disabled by MDI.
Disabling Global Secure Access by Registry
or ActionType == "RegistryKeyCreated"
Discovering potentially tampered devices [Nobelium]
To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.
Display Teams participation duration of account associated with a suspicious IP address
Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
Domain federation trust settings modified
This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added.
Due Date Passed CISA Known Exploited Vulnerabilities
CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.
Email Events from Email Providers
A list of all email provider domains (free, paid, blacklist etc). Some of these are probably not around anymore. I've combined a dozen lists from around the web. Current "major providers" should all be in here as of the date this is created.
EmailEvents - Sender TLD count
', SenderFromDomain), "/")[0]))
Emotet Domain IOC Feed
Emotet Domain IOC Feed
Emotet SHA256 IOC Feed
Emotet SHA256 IOC Feed
End of Life Software with File Paths using TVM
End of Support software used
End of Support software used
Entra - Auditing TenantRestrictionsV2 Events
This query looks for when a user tries to sign-in into a tenant that is not approved by a Tenant's Tenant Restriction Policy. There will be a log in Tenant A and Tenant B.
Entra Account Disabled
Entra Group Changes
Entra Identify and Map Authentication Context Usage
Full credit goes to https://www.chanceofsecurity.com/post/mastering-microsoft-entra-authentication-contexts-part-4-monitoring-and-reporting. I did not write this query
Entra Password Resets
Entra Sign-ins to Legacy Azure Active Directory Powershell
Entra Smart Lockout Tampering
EntraIdSignInEvents - Hunting Potential Seamless SSO Usage
This query is a replacement to https://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql
EntraIdSignInEvents - Suspicious User agent
This query is the update to https://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kqlhttps://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kql
Exchange PowerShell snap-in being loaded
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Exchange Server IIS dropping web shells and other artifacts
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
Exchange vulnerability creating web shells via UMWorkerProcess
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".