├── Azure
    ├── Audit Logic Apps with Office365 Connections using Resource Query.kql
    ├── Azure Communication Services Deleted.kql
    ├── Azure Function App Stopped or Deleted.kql
    ├── Azure Logic App Disabled or Deleted.kql
    ├── Azure Monitor Rule Disabled.kql
    ├── Azure P2S (Point to site) Connection Success username and IP Parser.kql
    ├── Azure Resource Graph - APIM with basic auth enabled.kql
    ├── Azure Resource VM sku sizes Changes.kql
    ├── Azure Subscription Budget Deletion.kql
    ├── Log Analytic Workspace Deletions.kql
    ├── Resource Lock Deletion for Azure Monitor Rule.kql
    └── Sentinel Incident Deletions.kql
├── Defender
    ├── AADSignInEventsBeta - Hunting Potential Seamless SSO Usage.kql
    ├── AADSignInEventsBeta - Suspicious User agent.kql
    ├── Adult Content MDE DeviceNetworkEvents.kql
    ├── Anonymous Email Sending Domains MDE Traffic.kql
    ├── Anti-lock or Idle Software.kql
    ├── AntiSleep Domains - MDE DeviceNetworkEvents.kql
    ├── Antivirus Domains - MDE DeviceNetworkEvents.kql
    ├── BlockList Project DeviceNetworkEvents.kql
    ├── Bring Your Own Minifilter - EDR Bypass.kql
    ├── Browser Domains - DeviceNetworkEvents.kql
    ├── Browser Extension Downloads using DeviceFileEvents.kql
    ├── CVE Check with Software Evidence.kql
    ├── CloudWorker Abuse Detection.kql
    ├── Connections to abused TLDs - DeviceNetworkEvents.kql
    ├── Consumer VPN Domains - DeviceNetworkEvents.kql
    ├── Creation of spoof directories with Unicode characters.kql
    ├── Crowdstrike Impersonation during Global Outage.kql
    ├── Cryptocurrency Domain Detection.kql
    ├── Custom IOC Block Events.kql
    ├── Defender XDR Custom Detection Modifications.kql
    ├── Detect Tor DNS request.kql
    ├── Device ATP Tampering Detection.kql
    ├── DeviceEvents - AppLocker Events.kql
    ├── DeviceNetworkEvents Blocklist Project Hits.kql
    ├── Devices with High severity CVEs with exploits available.kql
    ├── Devices with the most known exploited vulnerabilities.kql
    ├── Disabling Global Secure Access by Registry.kql
    ├── End of Life Software with File Paths using TVM.kql
    ├── Executables in AppData Local Roaming.kql
    ├── Exploitable_CVE_AllDevices.kql
    ├── Gaming Domains - DeviceNetworkEvents.kql
    ├── Hanada Group Crowdstrike Impersonation Detection.kql
    ├── Incidents to Mitre ATTACK navigator.kql
    ├── Living Off The Tunnels IOCS.kql
    ├── MDA - File Download by Country.kql
    ├── MDA - IP Address Type.kql
    ├── MDA Blocks by Application and URL.kql
    ├── MDA Custom Warn Indicators Report.kql
    ├── MDE DeviceRegistryEvents Tampering To DeviceTag.kql
    ├── MalwareBazaar Certificate Blocklist Detection.kql
    ├── Microsoft Phishing Subdomain Detection.kql
    ├── Netskope Malicious CloudWorker Detection.kql
    ├── Paste and Anonymous File Transfer Sites - DeviceNetworkEvents.kql
    ├── Personal Messaging Domains - DeviceNetworkEvents.kql
    ├── Piracy Domains - DeviceNetworkEvents.kql
    ├── Potential Credential Dumping.kql
    ├── Potentially Ungoverned AI Domains such as chatgpt.kql
    ├── Potentially Unsanctioned Application Usage.kql
    ├── PowerShell Defensive Evasion Detection.kql
    ├── RMM Tools DeviceProcessEvents using Splunk List.txt
    ├── ROSTI (Repackaged Open Source Intelligence) MDE File Events IOC Hits.kql
    ├── ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits.kql
    ├── RansomwareToolMatrix Defender Lookup.kql
    ├── Rclone Copy Process Args.kql
    ├── Remote Management Tools (RMM) - DeviceNetworkEvents Domains.kql
    ├── Safeboot Registry Modification Detection.kql
    ├── Senstive Large File Uploads using CloudAppEvents.kql
    ├── Set Persistence using Event Viewer Microsoft Redirection Program.kql
    ├── Software Download Sites DeviceNetworkEvents.kql
    ├── Streaming Sites - DeviceNetworkEvents.kql
    ├── Suspicious Directory Sync Account Sign ins.kql
    ├── TLD by Count for DeviceNetworkEvents.kql
    ├── Total Device Risk Score.kql
    ├── TrustedInstaller Abuse Detection.kql
    ├── USB_Data_Exfiltration.kql
    ├── Unsigned script execution enabled for live response.kql
    ├── Unusual Software Certificate Detection.kql
    ├── WDAC App Control Collect Data for App Control Manager.kql
    ├── Website Redirectors DeviceNetworkEvents.kql
    ├── WiFi Password Dumping Detection.kql
    └── Zscaler Registry Tampering Detection.kql
├── Entra
    ├── Access Review On Role Assignable Group AutoDeleted.kql
    ├── Add custom security attribute definition in an attribute set.kql
    ├── Assignment of Local Administrator Entra Role.kql
    ├── Audit Justifications for PIM Requests.kql
    ├── Audit Mandatory Office Days using Advanced Hunting.kql
    ├── Audit User Marked as Compromised By Admin or App.kql
    ├── Audit User tries to change password to a non-complying password.kql
    ├── Audit when PIM fails to remove an eligible member from role.kql
    ├── Creation of new Azure Tenant.kql
    ├── Device Deleted from Entra.kql
    ├── Entra - Auditing TenantRestrictionsV2 Events.kql
    ├── Entra Account Disabled.kql
    ├── Entra Group Changes.kql
    ├── Entra Identify and Map Authentication Context Usage.kql
    ├── Entra Password Resets.kql
    ├── Entra Sign-ins to Legacy Azure Active Directory Powershell.kql
    ├── Entra Smart Lockout Tampering.kql
    ├── FIDO AAGUID Passkey Explorer.kql
    ├── FOCI Client ID Detection.kql
    ├── Get Tenant ID for Given Domain.kql
    ├── Global Admin Elevations To User Access Administrator at Root Level.kql
    ├── Last Password Change Time with Account Creation Time.kql
    ├── MDA - OAuth App Disabled.kql
    ├── Modifications To ApplicationManagementPolicy for Entra App Registrations.kql
    ├── Most Recent Sign-in time for users in the last 30 days.kql
    ├── Parsed User Agent.kql
    ├── Potential User Signed into Edge Browser From Unmanaged or Unregistered Device.kql
    ├── Request an actor token for graph.windows.net using Service to Service (S2S).kql
    ├── Risk Based Step Up Consent (RBSU) for Application.kql
    ├── SignInLogs - B2B Access Restrictions.kql
    ├── SignIns with Country Name.kql
    ├── Successful join of fake device using ROPC (query by @goldjg).kql
    ├── UEBA - Find Onpremise users with Password Not Required.kql
    ├── User Deleted from Entra.kql
    └── Zscalar IP Sign-in Check.kql
├── LICENSE
├── Office 365
    ├── CockLi Abused Email Provider.kql
    ├── Display Teams participation duration of account associated with a suspicious IP address.kql
    ├── Email Events from Email Providers.kql
    ├── EmailEvents - Sender TLD count.kql
    ├── Modifications to SafeLinks AllowClickThrough Policy.kql
    ├── OnionMail EmailAddresses.kql
    ├── Risky Sign-in Keyword Search (CISA).kql
    ├── Suspicious File Extension Upload to Office 365.kql
    ├── Temporary Email Addresses.kql
    ├── identify mail items accessed by a specific IP address (CISA).kql
    ├── office Add-in Installs.kql
    └── summarizing user searches outside of normal working hours that contains sensitive keywords (CISA).kql
└── README.md


/Azure/Audit Logic Apps with Office365 Connections using Resource Query.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Audit Logic Apps with Office365 Connections using Resource Query.kql


--------------------------------------------------------------------------------
/Azure/Azure Communication Services Deleted.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Communication Services Deleted.kql


--------------------------------------------------------------------------------
/Azure/Azure Function App Stopped or Deleted.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Function App Stopped or Deleted.kql


--------------------------------------------------------------------------------
/Azure/Azure Logic App Disabled or Deleted.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Logic App Disabled or Deleted.kql


--------------------------------------------------------------------------------
/Azure/Azure Monitor Rule Disabled.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Monitor Rule Disabled.kql


--------------------------------------------------------------------------------
/Azure/Azure P2S (Point to site) Connection Success username and IP Parser.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure P2S (Point to site) Connection Success username and IP Parser.kql


--------------------------------------------------------------------------------
/Azure/Azure Resource Graph - APIM with basic auth enabled.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Resource Graph - APIM with basic auth enabled.kql


--------------------------------------------------------------------------------
/Azure/Azure Resource VM sku sizes Changes.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Resource VM sku sizes Changes.kql


--------------------------------------------------------------------------------
/Azure/Azure Subscription Budget Deletion.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Azure Subscription Budget Deletion.kql


--------------------------------------------------------------------------------
/Azure/Log Analytic Workspace Deletions.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Log Analytic Workspace Deletions.kql


--------------------------------------------------------------------------------
/Azure/Resource Lock Deletion for Azure Monitor Rule.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Resource Lock Deletion for Azure Monitor Rule.kql


--------------------------------------------------------------------------------
/Azure/Sentinel Incident Deletions.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Azure/Sentinel Incident Deletions.kql


--------------------------------------------------------------------------------
/Defender/AADSignInEventsBeta - Hunting Potential Seamless SSO Usage.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/AADSignInEventsBeta - Hunting Potential Seamless SSO Usage.kql


--------------------------------------------------------------------------------
/Defender/AADSignInEventsBeta - Suspicious User agent.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/AADSignInEventsBeta - Suspicious User agent.kql


--------------------------------------------------------------------------------
/Defender/Adult Content MDE DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Adult Content MDE DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Anonymous Email Sending Domains MDE Traffic.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Anonymous Email Sending Domains MDE Traffic.kql


--------------------------------------------------------------------------------
/Defender/Anti-lock or Idle Software.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Anti-lock or Idle Software.kql


--------------------------------------------------------------------------------
/Defender/AntiSleep Domains - MDE DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/AntiSleep Domains - MDE DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Antivirus Domains - MDE DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Antivirus Domains - MDE DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/BlockList Project DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/BlockList Project DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Bring Your Own Minifilter - EDR Bypass.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Bring Your Own Minifilter - EDR Bypass.kql


--------------------------------------------------------------------------------
/Defender/Browser Domains - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Browser Domains - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Browser Extension Downloads using DeviceFileEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Browser Extension Downloads using DeviceFileEvents.kql


--------------------------------------------------------------------------------
/Defender/CVE Check with Software Evidence.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/CVE Check with Software Evidence.kql


--------------------------------------------------------------------------------
/Defender/CloudWorker Abuse Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/CloudWorker Abuse Detection.kql


--------------------------------------------------------------------------------
/Defender/Connections to abused TLDs - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Connections to abused TLDs - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Consumer VPN Domains - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Consumer VPN Domains - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Creation of spoof directories with Unicode characters.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Creation of spoof directories with Unicode characters.kql


--------------------------------------------------------------------------------
/Defender/Crowdstrike Impersonation during Global Outage.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Crowdstrike Impersonation during Global Outage.kql


--------------------------------------------------------------------------------
/Defender/Cryptocurrency Domain Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Cryptocurrency Domain Detection.kql


--------------------------------------------------------------------------------
/Defender/Custom IOC Block Events.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Custom IOC Block Events.kql


--------------------------------------------------------------------------------
/Defender/Defender XDR Custom Detection Modifications.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Defender XDR Custom Detection Modifications.kql


--------------------------------------------------------------------------------
/Defender/Detect Tor DNS request.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Detect Tor DNS request.kql


--------------------------------------------------------------------------------
/Defender/Device ATP Tampering Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Device ATP Tampering Detection.kql


--------------------------------------------------------------------------------
/Defender/DeviceEvents - AppLocker Events.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/DeviceEvents - AppLocker Events.kql


--------------------------------------------------------------------------------
/Defender/DeviceNetworkEvents Blocklist Project Hits.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/DeviceNetworkEvents Blocklist Project Hits.kql


--------------------------------------------------------------------------------
/Defender/Devices with High severity CVEs with exploits available.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Devices with High severity CVEs with exploits available.kql


--------------------------------------------------------------------------------
/Defender/Devices with the most known exploited vulnerabilities.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Devices with the most known exploited vulnerabilities.kql


--------------------------------------------------------------------------------
/Defender/Disabling Global Secure Access by Registry.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Disabling Global Secure Access by Registry.kql


--------------------------------------------------------------------------------
/Defender/End of Life Software with File Paths using TVM.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/End of Life Software with File Paths using TVM.kql


--------------------------------------------------------------------------------
/Defender/Executables in AppData Local Roaming.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Executables in AppData Local Roaming.kql


--------------------------------------------------------------------------------
/Defender/Exploitable_CVE_AllDevices.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Exploitable_CVE_AllDevices.kql


--------------------------------------------------------------------------------
/Defender/Gaming Domains - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Gaming Domains - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Hanada Group Crowdstrike Impersonation Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Hanada Group Crowdstrike Impersonation Detection.kql


--------------------------------------------------------------------------------
/Defender/Incidents to Mitre ATTACK navigator.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Incidents to Mitre ATTACK navigator.kql


--------------------------------------------------------------------------------
/Defender/Living Off The Tunnels IOCS.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Living Off The Tunnels IOCS.kql


--------------------------------------------------------------------------------
/Defender/MDA - File Download by Country.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MDA - File Download by Country.kql


--------------------------------------------------------------------------------
/Defender/MDA - IP Address Type.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MDA - IP Address Type.kql


--------------------------------------------------------------------------------
/Defender/MDA Blocks by Application and URL.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MDA Blocks by Application and URL.kql


--------------------------------------------------------------------------------
/Defender/MDA Custom Warn Indicators Report.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MDA Custom Warn Indicators Report.kql


--------------------------------------------------------------------------------
/Defender/MDE DeviceRegistryEvents Tampering To DeviceTag.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MDE DeviceRegistryEvents Tampering To DeviceTag.kql


--------------------------------------------------------------------------------
/Defender/MalwareBazaar Certificate Blocklist Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/MalwareBazaar Certificate Blocklist Detection.kql


--------------------------------------------------------------------------------
/Defender/Microsoft Phishing Subdomain Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Microsoft Phishing Subdomain Detection.kql


--------------------------------------------------------------------------------
/Defender/Netskope Malicious CloudWorker Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Netskope Malicious CloudWorker Detection.kql


--------------------------------------------------------------------------------
/Defender/Paste and Anonymous File Transfer Sites - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Paste and Anonymous File Transfer Sites - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Personal Messaging Domains - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Personal Messaging Domains - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Piracy Domains - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Piracy Domains - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Potential Credential Dumping.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Potential Credential Dumping.kql


--------------------------------------------------------------------------------
/Defender/Potentially Ungoverned AI Domains such as chatgpt.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Potentially Ungoverned AI Domains such as chatgpt.kql


--------------------------------------------------------------------------------
/Defender/Potentially Unsanctioned Application Usage.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Potentially Unsanctioned Application Usage.kql


--------------------------------------------------------------------------------
/Defender/PowerShell Defensive Evasion Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/PowerShell Defensive Evasion Detection.kql


--------------------------------------------------------------------------------
/Defender/RMM Tools DeviceProcessEvents using Splunk List.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/RMM Tools DeviceProcessEvents using Splunk List.txt


--------------------------------------------------------------------------------
/Defender/ROSTI (Repackaged Open Source Intelligence) MDE File Events IOC Hits.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/ROSTI (Repackaged Open Source Intelligence) MDE File Events IOC Hits.kql


--------------------------------------------------------------------------------
/Defender/ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/ROSTI (Repackaged Open Source Intelligence) MDE Network Events IOC Hits.kql


--------------------------------------------------------------------------------
/Defender/RansomwareToolMatrix Defender Lookup.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/RansomwareToolMatrix Defender Lookup.kql


--------------------------------------------------------------------------------
/Defender/Rclone Copy Process Args.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Rclone Copy Process Args.kql


--------------------------------------------------------------------------------
/Defender/Remote Management Tools (RMM) - DeviceNetworkEvents Domains.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Remote Management Tools (RMM) - DeviceNetworkEvents Domains.kql


--------------------------------------------------------------------------------
/Defender/Safeboot Registry Modification Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Safeboot Registry Modification Detection.kql


--------------------------------------------------------------------------------
/Defender/Senstive Large File Uploads using CloudAppEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Senstive Large File Uploads using CloudAppEvents.kql


--------------------------------------------------------------------------------
/Defender/Set Persistence using Event Viewer Microsoft Redirection Program.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Set Persistence using Event Viewer Microsoft Redirection Program.kql


--------------------------------------------------------------------------------
/Defender/Software Download Sites DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Software Download Sites DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Streaming Sites - DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Streaming Sites - DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Suspicious Directory Sync Account Sign ins.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Suspicious Directory Sync Account Sign ins.kql


--------------------------------------------------------------------------------
/Defender/TLD by Count for DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/TLD by Count for DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/Total Device Risk Score.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Total Device Risk Score.kql


--------------------------------------------------------------------------------
/Defender/TrustedInstaller Abuse Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/TrustedInstaller Abuse Detection.kql


--------------------------------------------------------------------------------
/Defender/USB_Data_Exfiltration.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/USB_Data_Exfiltration.kql


--------------------------------------------------------------------------------
/Defender/Unsigned script execution enabled for live response.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Unsigned script execution enabled for live response.kql


--------------------------------------------------------------------------------
/Defender/Unusual Software Certificate Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Unusual Software Certificate Detection.kql


--------------------------------------------------------------------------------
/Defender/WDAC App Control Collect Data for App Control Manager.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/WDAC App Control Collect Data for App Control Manager.kql


--------------------------------------------------------------------------------
/Defender/Website Redirectors DeviceNetworkEvents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Website Redirectors DeviceNetworkEvents.kql


--------------------------------------------------------------------------------
/Defender/WiFi Password Dumping Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/WiFi Password Dumping Detection.kql


--------------------------------------------------------------------------------
/Defender/Zscaler Registry Tampering Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Defender/Zscaler Registry Tampering Detection.kql


--------------------------------------------------------------------------------
/Entra/Access Review On Role Assignable Group AutoDeleted.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Access Review On Role Assignable Group AutoDeleted.kql


--------------------------------------------------------------------------------
/Entra/Add custom security attribute definition in an attribute set.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Add custom security attribute definition in an attribute set.kql


--------------------------------------------------------------------------------
/Entra/Assignment of Local Administrator Entra Role.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Assignment of Local Administrator Entra Role.kql


--------------------------------------------------------------------------------
/Entra/Audit Justifications for PIM Requests.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Audit Justifications for PIM Requests.kql


--------------------------------------------------------------------------------
/Entra/Audit Mandatory Office Days using Advanced Hunting.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Audit Mandatory Office Days using Advanced Hunting.kql


--------------------------------------------------------------------------------
/Entra/Audit User Marked as Compromised By Admin or App.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Audit User Marked as Compromised By Admin or App.kql


--------------------------------------------------------------------------------
/Entra/Audit User tries to change password to a non-complying password.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Audit User tries to change password to a non-complying password.kql


--------------------------------------------------------------------------------
/Entra/Audit when PIM fails to remove an eligible member from role.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Audit when PIM fails to remove an eligible member from role.kql


--------------------------------------------------------------------------------
/Entra/Creation of new Azure Tenant.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Creation of new Azure Tenant.kql


--------------------------------------------------------------------------------
/Entra/Device Deleted from Entra.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Device Deleted from Entra.kql


--------------------------------------------------------------------------------
/Entra/Entra - Auditing TenantRestrictionsV2 Events.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra - Auditing TenantRestrictionsV2 Events.kql


--------------------------------------------------------------------------------
/Entra/Entra Account Disabled.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Account Disabled.kql


--------------------------------------------------------------------------------
/Entra/Entra Group Changes.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Group Changes.kql


--------------------------------------------------------------------------------
/Entra/Entra Identify and Map Authentication Context Usage.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Identify and Map Authentication Context Usage.kql


--------------------------------------------------------------------------------
/Entra/Entra Password Resets.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Password Resets.kql


--------------------------------------------------------------------------------
/Entra/Entra Sign-ins to Legacy Azure Active Directory Powershell.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Sign-ins to Legacy Azure Active Directory Powershell.kql


--------------------------------------------------------------------------------
/Entra/Entra Smart Lockout Tampering.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Entra Smart Lockout Tampering.kql


--------------------------------------------------------------------------------
/Entra/FIDO AAGUID Passkey Explorer.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/FIDO AAGUID Passkey Explorer.kql


--------------------------------------------------------------------------------
/Entra/FOCI Client ID Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/FOCI Client ID Detection.kql


--------------------------------------------------------------------------------
/Entra/Get Tenant ID for Given Domain.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Get Tenant ID for Given Domain.kql


--------------------------------------------------------------------------------
/Entra/Global Admin Elevations To User Access Administrator at Root Level.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Global Admin Elevations To User Access Administrator at Root Level.kql


--------------------------------------------------------------------------------
/Entra/Last Password Change Time with Account Creation Time.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Last Password Change Time with Account Creation Time.kql


--------------------------------------------------------------------------------
/Entra/MDA - OAuth App Disabled.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/MDA - OAuth App Disabled.kql


--------------------------------------------------------------------------------
/Entra/Modifications To ApplicationManagementPolicy for Entra App Registrations.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Modifications To ApplicationManagementPolicy for Entra App Registrations.kql


--------------------------------------------------------------------------------
/Entra/Most Recent Sign-in time for users in the last 30 days.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Most Recent Sign-in time for users in the last 30 days.kql


--------------------------------------------------------------------------------
/Entra/Parsed User Agent.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Parsed User Agent.kql


--------------------------------------------------------------------------------
/Entra/Potential User Signed into Edge Browser From Unmanaged or Unregistered Device.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Potential User Signed into Edge Browser From Unmanaged or Unregistered Device.kql


--------------------------------------------------------------------------------
/Entra/Request an actor token for graph.windows.net using Service to Service (S2S).kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Request an actor token for graph.windows.net using Service to Service (S2S).kql


--------------------------------------------------------------------------------
/Entra/Risk Based Step Up Consent (RBSU) for Application.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Risk Based Step Up Consent (RBSU) for Application.kql


--------------------------------------------------------------------------------
/Entra/SignInLogs - B2B Access Restrictions.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/SignInLogs - B2B Access Restrictions.kql


--------------------------------------------------------------------------------
/Entra/SignIns with Country Name.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/SignIns with Country Name.kql


--------------------------------------------------------------------------------
/Entra/Successful join of fake device using ROPC (query by @goldjg).kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Successful join of fake device using ROPC (query by @goldjg).kql


--------------------------------------------------------------------------------
/Entra/UEBA - Find Onpremise users with Password Not Required.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/UEBA - Find Onpremise users with Password Not Required.kql


--------------------------------------------------------------------------------
/Entra/User Deleted from Entra.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/User Deleted from Entra.kql


--------------------------------------------------------------------------------
/Entra/Zscalar IP Sign-in Check.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Entra/Zscalar IP Sign-in Check.kql


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/LICENSE


--------------------------------------------------------------------------------
/Office 365/CockLi Abused Email Provider.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/CockLi Abused Email Provider.kql


--------------------------------------------------------------------------------
/Office 365/Display Teams participation duration of account associated with a suspicious IP address.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Display Teams participation duration of account associated with a suspicious IP address.kql


--------------------------------------------------------------------------------
/Office 365/Email Events from Email Providers.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Email Events from Email Providers.kql


--------------------------------------------------------------------------------
/Office 365/EmailEvents - Sender TLD count.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/EmailEvents - Sender TLD count.kql


--------------------------------------------------------------------------------
/Office 365/Modifications to SafeLinks AllowClickThrough Policy.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Modifications to SafeLinks AllowClickThrough Policy.kql


--------------------------------------------------------------------------------
/Office 365/OnionMail EmailAddresses.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/OnionMail EmailAddresses.kql


--------------------------------------------------------------------------------
/Office 365/Risky Sign-in Keyword Search (CISA).kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Risky Sign-in Keyword Search (CISA).kql


--------------------------------------------------------------------------------
/Office 365/Suspicious File Extension Upload to Office 365.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Suspicious File Extension Upload to Office 365.kql


--------------------------------------------------------------------------------
/Office 365/Temporary Email Addresses.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/Temporary Email Addresses.kql


--------------------------------------------------------------------------------
/Office 365/identify mail items accessed by a specific IP address (CISA).kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/identify mail items accessed by a specific IP address (CISA).kql


--------------------------------------------------------------------------------
/Office 365/office Add-in Installs.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/office Add-in Installs.kql


--------------------------------------------------------------------------------
/Office 365/summarizing user searches outside of normal working hours that contains sensitive keywords (CISA).kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/Office 365/summarizing user searches outside of normal working hours that contains sensitive keywords (CISA).kql


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jkerai1/KQL-Queries/HEAD/README.md


--------------------------------------------------------------------------------