├── Detections ├── Detect Commands Executed on TOR Switches.md ├── Detect Data Connectors Failing to Fetch Data.md ├── Detect Failed Logins to Nutanix Clusters.md ├── Detect IMM Failed Logins.md ├── Detect KVM Failed Authentication.md ├── Detect Local Admin Accounts.md ├── Detect Microsoft Intune Create Operations.md ├── Detect PIM to Sensitive Roles After Hours.md ├── Detect Potential Email Bombing.md ├── Detect Potential File Exfiltration.md ├── Detect RMMs.md ├── Detect Suspicious PSSession to Remote Host.md ├── Detect USBs Attached to Servers.md ├── Detect User Account Creation on Local Host.md ├── Detect User Reported Fraud. Microsoft Authenticator App.md ├── Detect Users Accessing External Repositories.md └── Detect Workday Banking Information Change.md ├── Hunting ├── Hunt for Connections to GlobalProtect.md ├── Hunt for Malicious Inbound Firewall Traffic.md ├── Hunt for Rogue Devices.md └── Hunt for VSCode Extensions.md ├── LICENSE └── README.md /Detections/Detect Commands Executed on TOR Switches.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Commands Executed on TOR Switches.md -------------------------------------------------------------------------------- /Detections/Detect Data Connectors Failing to Fetch Data.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Data Connectors Failing to Fetch Data.md -------------------------------------------------------------------------------- /Detections/Detect Failed Logins to Nutanix Clusters.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Failed Logins to Nutanix Clusters.md -------------------------------------------------------------------------------- /Detections/Detect IMM Failed Logins.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect IMM Failed Logins.md -------------------------------------------------------------------------------- /Detections/Detect KVM Failed Authentication.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect KVM Failed Authentication.md -------------------------------------------------------------------------------- /Detections/Detect Local Admin Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Local Admin Accounts.md -------------------------------------------------------------------------------- /Detections/Detect Microsoft Intune Create Operations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Microsoft Intune Create Operations.md -------------------------------------------------------------------------------- /Detections/Detect PIM to Sensitive Roles After Hours.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect PIM to Sensitive Roles After Hours.md -------------------------------------------------------------------------------- /Detections/Detect Potential Email Bombing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Potential Email Bombing.md -------------------------------------------------------------------------------- /Detections/Detect Potential File Exfiltration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Potential File Exfiltration.md -------------------------------------------------------------------------------- /Detections/Detect RMMs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect RMMs.md -------------------------------------------------------------------------------- /Detections/Detect Suspicious PSSession to Remote Host.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Suspicious PSSession to Remote Host.md -------------------------------------------------------------------------------- /Detections/Detect USBs Attached to Servers.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect USBs Attached to Servers.md -------------------------------------------------------------------------------- /Detections/Detect User Account Creation on Local Host.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect User Account Creation on Local Host.md -------------------------------------------------------------------------------- /Detections/Detect User Reported Fraud. Microsoft Authenticator App.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect User Reported Fraud. Microsoft Authenticator App.md -------------------------------------------------------------------------------- /Detections/Detect Users Accessing External Repositories.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Users Accessing External Repositories.md -------------------------------------------------------------------------------- /Detections/Detect Workday Banking Information Change.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Detections/Detect Workday Banking Information Change.md -------------------------------------------------------------------------------- /Hunting/Hunt for Connections to GlobalProtect.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Hunting/Hunt for Connections to GlobalProtect.md -------------------------------------------------------------------------------- /Hunting/Hunt for Malicious Inbound Firewall Traffic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Hunting/Hunt for Malicious Inbound Firewall Traffic.md -------------------------------------------------------------------------------- /Hunting/Hunt for Rogue Devices.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Hunting/Hunt for Rogue Devices.md -------------------------------------------------------------------------------- /Hunting/Hunt for VSCode Extensions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/Hunting/Hunt for VSCode Extensions.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ItzHerbie/KQL/HEAD/README.md --------------------------------------------------------------------------------