├── Defender ├── Check for DNS query going to known Malicious Domain.md ├── Click-fix │ ├── Filefix.md │ ├── Hunt for PowerShell commands run in the RUNMRU.md │ └── Hunt for Users Running Command in Run.md ├── Data Exfiltration │ ├── File Exfiltration from server to the Internet.md │ ├── Hunt for Personal OneDrive usage in the Organization.md │ └── Monitor large file (including documents and any executable files) sharing over e-mail.md ├── Defender Weekly OSINT IOC -List Hunt.md ├── Device Onboarding Hunting Query │ └── Hunt for Devices Not Onboarded on Defender.md ├── Email Hunting Queries │ ├── Hunt for E-mails shared with URL and attachments clicked by Users.md │ ├── Hunt for Phishing E-mail Delivered inside the organization.md │ ├── Hunt for Specific User sending mass E-mail to other Recipient and list out user's clicking the URL.md │ ├── Hunt for files shared by malicious e-mail sender on the devices.md │ ├── Hunt outbound E-mails and attachments Shared outside organization Domain.md │ ├── Hunting query to see Auto-Reply forward to other e-mail Recipient.md │ ├── Review PowerShell activities after receipt of emails from known malicious sender.md │ ├── Review logon attempts after receipt of malicious emails.md │ └── UrlClicks by user for specific urls.md ├── External Device Mounted │ └── Hunt for any External Mounted Device.md ├── File Downloads from Browsers │ └── Browser Downloads.md ├── Hunt For Wireless Connected Workstation.md ├── Hunt RMM Tools Usage in Organization.md ├── Hunt and Correlate For Wireless Private Network Connection with Public IPs.md ├── Hunt for Application process Communicating with Public IP.md ├── Hunt for EDR killer Tools used by Threat Actors.md ├── Hunt for IOC_Extensions.md ├── Hunt for Suspicious Windows Services.md ├── Hunt for any suspicious traffic going to suspicious ports from firewall.md ├── Hunt new browser extension installation on Microsoft Defender For Endpoint Devices.md ├── Identify Fake URL Domain.md ├── Identity Query │ ├── Hunt for Total Service account, Total Enabled service account and Total Disabled account.md │ ├── List of Disabled Service Account.md │ ├── List of Enabled Service Account.md │ └── List of Service Accounts.md ├── Leaked Credentials │ └── Hunt for Leaked Credentials.md ├── Logon Hunting Queries │ ├── GobalProtect Login outside of the Specified Country.md │ ├── Hunt for RDP Session by any device or user's.md │ └── Logon Events inside organization Domain.md ├── Permission Changes │ ├── Hunt for Authentication Method Changes for MFA.md │ ├── Hunt for Authentication Modes used for MFA.md │ ├── Hunt for Authenticator App modification done for MFA.md │ ├── Hunt for Roles Assigned to users.md │ └── Permission Changes in Azure.md ├── PowerShell Execution Hunting Queries │ ├── Hunt Potential PowerShell command line run by user.md │ └── Hunt for Potential suspicious PowerShell Scripts Run by the User.md ├── Scheduled Task Query │ └── Hunt for Auto or user Triggered Scheduled tasks.md ├── Suspicious External Connection to public IP │ ├── Detecting External Connections from public IP to internal Device.md │ └── IOC_DOMAIN_Check.md ├── Unsanctioned Certificates │ ├── Hunt for Specific Unsanctioned Certificates.md │ └── Hunt for Unsanctioned Certificates.md ├── Unusual volume of DNS Queries within last 24 hours.md └── Vulnerability Hunting Queries │ ├── Hunt Devices with Missing Security Updates.md │ └── Hunt for Specific CVE associated with the devices onboarded on Defender.md ├── IOC ├── 06082025-edrkiller-iocs.csv ├── IOC_RMM.csv ├── OSINT-02-09-2025.csv ├── OSINT-02-June-2025.csv ├── OSINT-03-March-IOC-List.csv ├── OSINT-04-August-2025.csv ├── OSINT-05-MAY-2025.csv ├── OSINT-07-April-2025.csv ├── OSINT-07-July-2025.csv ├── OSINT-09-June-2025.csv ├── OSINT-10-March-2025.csv ├── OSINT-11-August-2025.csv ├── OSINT-12-MAy-2025.csv ├── OSINT-14-April2025.csv ├── OSINT-14-July-2025.csv ├── OSINT-17 Feb-IOC-List.csv ├── OSINT-17-June-2025.csv ├── OSINT-17-March-2025.csv ├── OSINT-18-August-2025.csv ├── OSINT-19-May-2025.csv ├── OSINT-21-April-2025.csv ├── OSINT-21-July-2025.csv ├── OSINT-24-March-2025.csv ├── OSINT-24Feb-IOC-List (2).csv ├── OSINT-24Feb-IOC-List.csv ├── OSINT-25-August-2025.csv ├── OSINT-26-May-2025 (3).csv ├── OSINT-28-April-2025.csv ├── OSINT-28-July-2025.csv ├── OSINT-30-June-2025.csv └── OSINT-31-March-2025.csv ├── LICENSE ├── README.md ├── Reports ├── After-Hours-Incidents-Weekdays.md ├── Query to generate incident report for last 14 days.md └── Top 10 Security Incidents.md └── Sentinel ├── AD user enabled and password not set within 48 hours(Severity: Low).md ├── Account Created and Deleted in short Timeframe(Severity: High).md ├── Account Password Not Required (Severity: High).md ├── Account created or deleted by non-approved user(Severity: Medium).md ├── Attempts to sign in to disabled accounts (Severity: Medium).md ├── Excessive-Login-Failure-Detection-Rule(LOW Severity).md ├── Malicious URL-Clicks in Emails by Users.md ├── Multiple authentication failures followed by a success(Severity: Low).md ├── Permission Change in Azure.md └── User added to privilege group (Severity: High).md /Defender/Check for DNS query going to known Malicious Domain.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Check for DNS query going to known Malicious Domain.md -------------------------------------------------------------------------------- /Defender/Click-fix/Filefix.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Click-fix/Filefix.md -------------------------------------------------------------------------------- /Defender/Click-fix/Hunt for PowerShell commands run in the RUNMRU.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Click-fix/Hunt for PowerShell commands run in the RUNMRU.md -------------------------------------------------------------------------------- /Defender/Click-fix/Hunt for Users Running Command in Run.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Click-fix/Hunt for Users Running Command in Run.md -------------------------------------------------------------------------------- /Defender/Data Exfiltration/File Exfiltration from server to the Internet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Data Exfiltration/File Exfiltration from server to the Internet.md -------------------------------------------------------------------------------- /Defender/Data Exfiltration/Hunt for Personal OneDrive usage in the Organization.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Data Exfiltration/Hunt for Personal OneDrive usage in the Organization.md -------------------------------------------------------------------------------- /Defender/Data Exfiltration/Monitor large file (including documents and any executable files) sharing over e-mail.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Data Exfiltration/Monitor large file (including documents and any executable files) sharing over e-mail.md -------------------------------------------------------------------------------- /Defender/Defender Weekly OSINT IOC -List Hunt.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Defender Weekly OSINT IOC -List Hunt.md -------------------------------------------------------------------------------- /Defender/Device Onboarding Hunting Query/Hunt for Devices Not Onboarded on Defender.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Device Onboarding Hunting Query/Hunt for Devices Not Onboarded on Defender.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunt for E-mails shared with URL and attachments clicked by Users.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunt for E-mails shared with URL and attachments clicked by Users.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunt for Phishing E-mail Delivered inside the organization.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunt for Phishing E-mail Delivered inside the organization.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunt for Specific User sending mass E-mail to other Recipient and list out user's clicking the URL.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunt for Specific User sending mass E-mail to other Recipient and list out user's clicking the URL.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunt for files shared by malicious e-mail sender on the devices.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunt for files shared by malicious e-mail sender on the devices.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunt outbound E-mails and attachments Shared outside organization Domain.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunt outbound E-mails and attachments Shared outside organization Domain.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Hunting query to see Auto-Reply forward to other e-mail Recipient.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Hunting query to see Auto-Reply forward to other e-mail Recipient.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Review PowerShell activities after receipt of emails from known malicious sender.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Review PowerShell activities after receipt of emails from known malicious sender.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/Review logon attempts after receipt of malicious emails.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/Review logon attempts after receipt of malicious emails.md -------------------------------------------------------------------------------- /Defender/Email Hunting Queries/UrlClicks by user for specific urls.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Email Hunting Queries/UrlClicks by user for specific urls.md -------------------------------------------------------------------------------- /Defender/External Device Mounted/Hunt for any External Mounted Device.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/External Device Mounted/Hunt for any External Mounted Device.md -------------------------------------------------------------------------------- /Defender/File Downloads from Browsers/Browser Downloads.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/File Downloads from Browsers/Browser Downloads.md -------------------------------------------------------------------------------- /Defender/Hunt For Wireless Connected Workstation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt For Wireless Connected Workstation.md -------------------------------------------------------------------------------- /Defender/Hunt RMM Tools Usage in Organization.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt RMM Tools Usage in Organization.md -------------------------------------------------------------------------------- /Defender/Hunt and Correlate For Wireless Private Network Connection with Public IPs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt and Correlate For Wireless Private Network Connection with Public IPs.md -------------------------------------------------------------------------------- /Defender/Hunt for Application process Communicating with Public IP.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt for Application process Communicating with Public IP.md -------------------------------------------------------------------------------- /Defender/Hunt for EDR killer Tools used by Threat Actors.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt for EDR killer Tools used by Threat Actors.md -------------------------------------------------------------------------------- /Defender/Hunt for IOC_Extensions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt for IOC_Extensions.md -------------------------------------------------------------------------------- /Defender/Hunt for Suspicious Windows Services.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt for Suspicious Windows Services.md -------------------------------------------------------------------------------- /Defender/Hunt for any suspicious traffic going to suspicious ports from firewall.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt for any suspicious traffic going to suspicious ports from firewall.md -------------------------------------------------------------------------------- /Defender/Hunt new browser extension installation on Microsoft Defender For Endpoint Devices.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Hunt new browser extension installation on Microsoft Defender For Endpoint Devices.md -------------------------------------------------------------------------------- /Defender/Identify Fake URL Domain.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Identify Fake URL Domain.md -------------------------------------------------------------------------------- /Defender/Identity Query/Hunt for Total Service account, Total Enabled service account and Total Disabled account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Identity Query/Hunt for Total Service account, Total Enabled service account and Total Disabled account.md -------------------------------------------------------------------------------- /Defender/Identity Query/List of Disabled Service Account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Identity Query/List of Disabled Service Account.md -------------------------------------------------------------------------------- /Defender/Identity Query/List of Enabled Service Account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Identity Query/List of Enabled Service Account.md -------------------------------------------------------------------------------- /Defender/Identity Query/List of Service Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Identity Query/List of Service Accounts.md -------------------------------------------------------------------------------- /Defender/Leaked Credentials/Hunt for Leaked Credentials.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Leaked Credentials/Hunt for Leaked Credentials.md -------------------------------------------------------------------------------- /Defender/Logon Hunting Queries/GobalProtect Login outside of the Specified Country.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Logon Hunting Queries/GobalProtect Login outside of the Specified Country.md -------------------------------------------------------------------------------- /Defender/Logon Hunting Queries/Hunt for RDP Session by any device or user's.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Logon Hunting Queries/Hunt for RDP Session by any device or user's.md -------------------------------------------------------------------------------- /Defender/Logon Hunting Queries/Logon Events inside organization Domain.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Logon Hunting Queries/Logon Events inside organization Domain.md -------------------------------------------------------------------------------- /Defender/Permission Changes/Hunt for Authentication Method Changes for MFA.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Permission Changes/Hunt for Authentication Method Changes for MFA.md -------------------------------------------------------------------------------- /Defender/Permission Changes/Hunt for Authentication Modes used for MFA.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Permission Changes/Hunt for Authentication Modes used for MFA.md -------------------------------------------------------------------------------- /Defender/Permission Changes/Hunt for Authenticator App modification done for MFA.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Permission Changes/Hunt for Authenticator App modification done for MFA.md -------------------------------------------------------------------------------- /Defender/Permission Changes/Hunt for Roles Assigned to users.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Permission Changes/Hunt for Roles Assigned to users.md -------------------------------------------------------------------------------- /Defender/Permission Changes/Permission Changes in Azure.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Permission Changes/Permission Changes in Azure.md -------------------------------------------------------------------------------- /Defender/PowerShell Execution Hunting Queries/Hunt Potential PowerShell command line run by user.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/PowerShell Execution Hunting Queries/Hunt Potential PowerShell command line run by user.md -------------------------------------------------------------------------------- /Defender/PowerShell Execution Hunting Queries/Hunt for Potential suspicious PowerShell Scripts Run by the User.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/PowerShell Execution Hunting Queries/Hunt for Potential suspicious PowerShell Scripts Run by the User.md -------------------------------------------------------------------------------- /Defender/Scheduled Task Query/Hunt for Auto or user Triggered Scheduled tasks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Scheduled Task Query/Hunt for Auto or user Triggered Scheduled tasks.md -------------------------------------------------------------------------------- /Defender/Suspicious External Connection to public IP/Detecting External Connections from public IP to internal Device.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Suspicious External Connection to public IP/Detecting External Connections from public IP to internal Device.md -------------------------------------------------------------------------------- /Defender/Suspicious External Connection to public IP/IOC_DOMAIN_Check.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Suspicious External Connection to public IP/IOC_DOMAIN_Check.md -------------------------------------------------------------------------------- /Defender/Unsanctioned Certificates/Hunt for Specific Unsanctioned Certificates.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Unsanctioned Certificates/Hunt for Specific Unsanctioned Certificates.md -------------------------------------------------------------------------------- /Defender/Unsanctioned Certificates/Hunt for Unsanctioned Certificates.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Unsanctioned Certificates/Hunt for Unsanctioned Certificates.md -------------------------------------------------------------------------------- /Defender/Unusual volume of DNS Queries within last 24 hours.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Unusual volume of DNS Queries within last 24 hours.md -------------------------------------------------------------------------------- /Defender/Vulnerability Hunting Queries/Hunt Devices with Missing Security Updates.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Vulnerability Hunting Queries/Hunt Devices with Missing Security Updates.md -------------------------------------------------------------------------------- /Defender/Vulnerability Hunting Queries/Hunt for Specific CVE associated with the devices onboarded on Defender.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Defender/Vulnerability Hunting Queries/Hunt for Specific CVE associated with the devices onboarded on Defender.md -------------------------------------------------------------------------------- /IOC/06082025-edrkiller-iocs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/06082025-edrkiller-iocs.csv -------------------------------------------------------------------------------- /IOC/IOC_RMM.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/IOC_RMM.csv -------------------------------------------------------------------------------- /IOC/OSINT-02-09-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-02-09-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-02-June-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-02-June-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-03-March-IOC-List.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-03-March-IOC-List.csv -------------------------------------------------------------------------------- /IOC/OSINT-04-August-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-04-August-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-05-MAY-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-05-MAY-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-07-April-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-07-April-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-07-July-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-07-July-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-09-June-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-09-June-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-10-March-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-10-March-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-11-August-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-11-August-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-12-MAy-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-12-MAy-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-14-April2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-14-April2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-14-July-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-14-July-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-17 Feb-IOC-List.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-17 Feb-IOC-List.csv -------------------------------------------------------------------------------- /IOC/OSINT-17-June-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-17-June-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-17-March-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-17-March-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-18-August-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-18-August-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-19-May-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-19-May-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-21-April-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-21-April-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-21-July-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-21-July-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-24-March-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-24-March-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-24Feb-IOC-List (2).csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-24Feb-IOC-List (2).csv -------------------------------------------------------------------------------- /IOC/OSINT-24Feb-IOC-List.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-24Feb-IOC-List.csv -------------------------------------------------------------------------------- /IOC/OSINT-25-August-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-25-August-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-26-May-2025 (3).csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-26-May-2025 (3).csv -------------------------------------------------------------------------------- /IOC/OSINT-28-April-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-28-April-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-28-July-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-28-July-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-30-June-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-30-June-2025.csv -------------------------------------------------------------------------------- /IOC/OSINT-31-March-2025.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/IOC/OSINT-31-March-2025.csv -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/README.md -------------------------------------------------------------------------------- /Reports/After-Hours-Incidents-Weekdays.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Reports/After-Hours-Incidents-Weekdays.md -------------------------------------------------------------------------------- /Reports/Query to generate incident report for last 14 days.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Reports/Query to generate incident report for last 14 days.md -------------------------------------------------------------------------------- /Reports/Top 10 Security Incidents.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Reports/Top 10 Security Incidents.md -------------------------------------------------------------------------------- /Sentinel/AD user enabled and password not set within 48 hours(Severity: Low).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/AD user enabled and password not set within 48 hours(Severity: Low).md -------------------------------------------------------------------------------- /Sentinel/Account Created and Deleted in short Timeframe(Severity: High).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Account Created and Deleted in short Timeframe(Severity: High).md -------------------------------------------------------------------------------- /Sentinel/Account Password Not Required (Severity: High).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Account Password Not Required (Severity: High).md -------------------------------------------------------------------------------- /Sentinel/Account created or deleted by non-approved user(Severity: Medium).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Account created or deleted by non-approved user(Severity: Medium).md -------------------------------------------------------------------------------- /Sentinel/Attempts to sign in to disabled accounts (Severity: Medium).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Attempts to sign in to disabled accounts (Severity: Medium).md -------------------------------------------------------------------------------- /Sentinel/Excessive-Login-Failure-Detection-Rule(LOW Severity).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Excessive-Login-Failure-Detection-Rule(LOW Severity).md -------------------------------------------------------------------------------- /Sentinel/Malicious URL-Clicks in Emails by Users.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Malicious URL-Clicks in Emails by Users.md -------------------------------------------------------------------------------- /Sentinel/Multiple authentication failures followed by a success(Severity: Low).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Multiple authentication failures followed by a success(Severity: Low).md -------------------------------------------------------------------------------- /Sentinel/Permission Change in Azure.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/Permission Change in Azure.md -------------------------------------------------------------------------------- /Sentinel/User added to privilege group (Severity: High).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SubashGhimire/Hunting-Queries-and-Detection-Rule-Microsoft-Sentinel-Defender/HEAD/Sentinel/User added to privilege group (Severity: High).md --------------------------------------------------------------------------------