Sentinel-Queries
Sentinel-Queries copied to clipboard
reprise99
Collection of KQL queries
May I please suggest an addition to [Identity-DailySummaryofUsersAddedtoAADGroups.kql](https://github.com/reprise99/Sentinel-Queries/blob/main/Azure%20Active%20Directory/Identity-DailySummaryofUsersAddedtoAADGroups.kql) It would be useful to include the server the addition occurred on, as well as the administrator who performed the action. For...
This sentinel query will combine output from OfficeActivity and EmailEvents to report usage of SendAs and SendOnBehalf rights.
Added extra context to the query by providing the Department and AccountCreationTime which can help to investigate incidents/hunts easily. Those two columns are needed to see if it is expected...
I believe the current version is looking for SSPR events that happen until 2 hours after the risk event, instead of what is stated in the first line comment (risk...
Hello, I have found the event ```OperationName == "Add passwordless phone sign-in credential"```. In my case I was not able to associate this event the other events that appear in...
Function-GroupChanges.kql For some reason it looks like the group name in the targetedresources json appears as null. it looks like the event either puts it in new value or old...
## Summary This PR adds a new KQL hunting query that detects suspicious PowerShell activity in Microsoft Defender for Endpoint. ## Query Details **Filename:** `Device-PowerShell-AbuseDetection.kql` **Folder:** `DefenderForEndpoint/` **Use case:** The...
This query filters `DeviceFileEvents` for a given malicious file name and extension within the last 30 days. It projects key attributes such as event time, action type, device details, file...
