microsoft/Microsoft-365-Defender-Hunting-Queries
Sample queries for Advanced hunting in Microsoft 365 Defender
Jupyter NotebookMIT
Issues
- 0
Microsoft-365-Defender-Hunting-Queries/M365-PowerBi Dashboard/: Table 'Software' contains a duplicate value
#433 opened by KhaaliTurbo - 0
Qakbot campaign process injection query is not correct
#430 opened by ionsor - 1
365 Hunting Query data refresh
#361 opened by kcgeek - 1
rclone hashes for all version released
#412 opened by LoZio - 0
Persistence drive detection
#354 opened by PuneethRaya - 0
TVM Reports
#338 opened by SSR1905 - 8
User ID's Monitoring
#335 opened by PuneethRaya - 4
Does not work for Server 2016 or 2019
#306 opened by johnB007 - 2
Query for Country code
#332 opened by nicolas-gagnon - 0
Add Health State and Date last seen
#333 opened by johnB007 - 1
Web Content Filtering - status across devices query
#171 opened by SergGu - 3
Data Exfiltration to email account
#300 opened by PuneethRaya - 1
Protection | Windows Filtering Events
#307 opened by SmittySec - 2
- 0
M365 Defender API Dashboard error
#318 opened by vboyev-MSFT - 0
Query improvements - Exfiltration to Competitor
#298 opened by Jay1508 - 8
Web Traffic data hunt
#111 opened by exigentcircumstance - 0
Can't pull from branch because of file name
#194 opened by martyav - 0
Incident Query and Isolation history query
#156 opened by bobose - 0
- 3
Missing USB file write events
#108 opened by gunnahafta - 2
USB file writes
#107 opened by tjackson78 - 1
\Windows\assembly\NativeImages_v4.0.30319_64
#100 opened by droushd - 1
Unable to query events from prior than 7 days
#94 opened by DSharpPro - 0
- 0
Credential Access: Brute force
#30 opened by TomerAlpert - 0
Persistence: startup folder
#29 opened by TomerAlpert - 0
Persistence: scheduled task
#28 opened by TomerAlpert - 0
Persistence: Create new service
#27 opened by TomerAlpert - 0
Persistence: Run key
#26 opened by TomerAlpert - 0
PSEXEC queries
#25 opened by TomerAlpert - 0
Abnormal logon
#24 opened by TomerAlpert - 0
WMI queries
#23 opened by TomerAlpert - 0
CreateUser as part of RDP session
#22 opened by TomerAlpert - 0
- 3
Data Exfiltration
#98 opened by tjackson78