Path	Lines of Code
Hunting Queries/ASimProcess/Discorddownloadinvokedfromcmdline(ASIMVersion).yaml	47
Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml	24
Hunting Queries/ASimProcess/imProcess_Dev-0056CommandLineActivityNovember2021(ASIMVersion).yaml	32
Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml	27
Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml	39
Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml	27
Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml	28
Hunting Queries/ASimProcess/imProcess_PowerCatDownload.yaml	26
Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml	146
Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml	19
Hunting Queries/ASimProcess/imProcess_Suspicious_enumeration_using_adfind.yaml	39
Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml	23
Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml	21
Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml	18
Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml	27
Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml	18
Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml	28
Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml	24
Hunting Queries/ASimRegistry/Crashdumpdisabledonhost(ASIMVersion).yaml	34
Hunting Queries/AWSCloudTrail/AWS_IAM_PolicyChange.yaml	4
Hunting Queries/AWSCloudTrail/AWS_IAM_PrivilegeEscalationbyAttachment.yaml	4
Hunting Queries/AWSCloudTrail/AWS_PrivilegedRoleAttachedToInstance.yaml	4
Hunting Queries/AWSCloudTrail/AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles.yaml	4
Hunting Queries/AWSCloudTrail/AWS_Unused_UnsupportedCloudRegions.yaml	4
Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml	35
Hunting Queries/AuditLogs/AccountMFAModifications.yaml	36
Hunting Queries/AuditLogs/AppRequiredResourceAccessUpdate.yaml	48
Hunting Queries/AuditLogs/ApprovedAccessPackagesDetails.yaml	61
Hunting Queries/AuditLogs/BitLockerKeyRetrieval.yaml	35
Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml	99
Hunting Queries/AuditLogs/NonredeemedGuesUserInvites.yaml	53
Hunting Queries/AuditLogs/RareAuditActivityByApp.yaml	79
Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml	74
Hunting Queries/AuditLogs/StsRefreshTokenModification.yaml	4
Hunting Queries/AuditLogs/UserGrantedAccess_AllAuditActivity.yaml	90
Hunting Queries/AuditLogs/UserGrantedAccess_GrantsOthersAccess.yaml	4
Hunting Queries/AuditLogs/UsersAuthenticatingtoOtherAzureADTenants.yaml	30
Hunting Queries/AzureActivity/AnalyticsRulesAdministrativeOperations.yaml	3
Hunting Queries/AzureActivity/AnomalousAzureOperationModel.yaml	3
Hunting Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml	3
Hunting Queries/AzureActivity/Azure-CloudShell-Usage.yaml	42
Hunting Queries/AzureActivity/AzureAdministrationFromVPS.yaml	3
Hunting Queries/AzureActivity/AzureNSG_AdministrativeOperations.yaml	3
Hunting Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml	3
Hunting Queries/AzureActivity/AzureSentinelConnectors_AdministrativeOperations.yaml	3
Hunting Queries/AzureActivity/AzureSentinelWorkbooks_AdministrativeOperation.yaml	3
Hunting Queries/AzureActivity/AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml	2
Hunting Queries/AzureActivity/Common_Deployed_Resources.yaml	3
Hunting Queries/AzureActivity/Creating_Anomalous_Number_Of_Resources.yaml	3
Hunting Queries/AzureActivity/Granting_Permissions_to_Account.yaml	3
Hunting Queries/AzureActivity/PortOpenedForAzureResource.yaml	3
Hunting Queries/AzureActivity/Rare_Custom_Script_Extension.yaml	3
Hunting Queries/AzureDevOpsAuditing/AAD Conditional Access Disabled.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADOInternalUpstreamPacakgeFeedAdded.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml	4
Hunting Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml	4
Hunting Queries/AzureDevOpsAuditing/Addtional Org Admin Added.yaml	4
Hunting Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml	4
Hunting Queries/AzureDevOpsAuditing/AzDOPrPolicyBypassers.yaml	4
Hunting Queries/AzureDevOpsAuditing/Guest users access enabled.yaml	4
Hunting Queries/AzureDevOpsAuditing/Project visibility changed to public.yaml	4
Hunting Queries/AzureDevOpsAuditing/Public Projects enabled.yaml	4
Hunting Queries/AzureDevOpsAuditing/Public project created.yaml	4
Hunting Queries/AzureDiagnostics/AzureKeyVaultAccessManipulation.yaml	4
Hunting Queries/AzureDiagnostics/CriticalPortsOpened.yaml	52
Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml	50
Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml	4
Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml	4
Hunting Queries/AzureStorage/AzureStorageFileCreateAccessDelete.yaml	66
Hunting Queries/AzureStorage/AzureStorageFileCreatedQuicklyDeleted.yaml	39
Hunting Queries/AzureStorage/AzureStorageFileOnEndpoint.yaml	24
Hunting Queries/AzureStorage/AzureStorageMassDeletion.yaml	31
Hunting Queries/AzureStorage/AzureStorageUploadFromVPS.yaml	32
Hunting Queries/AzureStorage/AzureStorageUploadLinkAccount.yaml	44
Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Account Creation.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Activity Role Assignment.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Code Execution.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Data Access.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Defensive Mechanism Modification.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Failed Logon.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Geo Location Logon.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Login to Devices.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Password Reset.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous RDP Activity.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Resource Access.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Role Assignment.yaml	4
Hunting Queries/BehaviorAnalytics/Anomalous Sign-in Activity.yaml	4
Hunting Queries/CloudAppEvents/SetPolicyConfigInCloudAppEvents.yaml	35
Hunting Queries/CommonSecurityLog/AbnormallyLargeJPEGFiledDownloadedfromNewSource.yaml	42
Hunting Queries/CommonSecurityLog/B64IPInURL.yaml	4
Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml	4
Hunting Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml	4
Hunting Queries/DeviceProcess/VScodeExtensionofanUser.yaml	45
Hunting Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml	4
Hunting Queries/DnsEvents/DNS_DomainAnomalousLookupIncrease.yaml	4
Hunting Queries/DnsEvents/DNS_FullNameAnomalousLookupIncrease.yaml	4
Hunting Queries/DnsEvents/DNS_HighPercentNXDomainCount.yaml	4
Hunting Queries/DnsEvents/DNS_HighReverseDNSCount.yaml	4
Hunting Queries/DnsEvents/DNS_LongURILookup.yaml	4
Hunting Queries/DnsEvents/DNS_WannaCry.yaml	4
Hunting Queries/DnsEvents/Solorigate-DNS-Pattern.yaml	4
Hunting Queries/DnsEvents/Solorigate-Encoded-Domain-URL.yaml	4
Hunting Queries/GitHub/First Time User Invite and Add Member to Org.yaml	24
Hunting Queries/GitHub/Inactive or New Account Usage.yaml	43
Hunting Queries/GitHub/Mass Deletion of Repositories .yaml	33
Hunting Queries/GitHub/Oauth App Restrictions Disabled.yaml	15
Hunting Queries/GitHub/Org Repositories Default Permissions Change.yaml	15
Hunting Queries/GitHub/Repository Permission Switched to Public.yaml	15
Hunting Queries/GitHub/Suspicious Fork Activity.yaml	37
Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml	32
Hunting Queries/GitHub/User First Time Repository Delete Activity.yaml	24
Hunting Queries/GitHub/User Grant Access and Grants Other Access.yaml	25
Hunting Queries/LAQueryLogs/CrossServiceADXQueries.yaml	24
Hunting Queries/LAQueryLogs/CrossWorkspaceQueryAnomolies.yaml	51
Hunting Queries/LAQueryLogs/MultipleLargeQueriesByUser.yaml	35
Hunting Queries/LAQueryLogs/NewClientRunningQueries.yaml	38
Hunting Queries/LAQueryLogs/NewServicePrincipalRunningQueries.yaml	40
Hunting Queries/LAQueryLogs/NewUserCallingSensitiveWatchlist.yaml	36
Hunting Queries/LAQueryLogs/NewUserRunningQueries.yaml	35
Hunting Queries/LAQueryLogs/QueryDataVolumeAnomolies.yaml	42
Hunting Queries/LAQueryLogs/QueryLookingForSecrets.yaml	40
Hunting Queries/LAQueryLogs/UserReturningMoreDataThanDailyAverage.yaml	48
Hunting Queries/LAQueryLogs/UserRunningMultipleQueriesThatFail.yaml	34
Hunting Queries/Microsoft 365 Defender/ASR rules/ASR-rules-categorized-detection-graph.yaml	25
Hunting Queries/Microsoft 365 Defender/Campaigns/APT Baby Shark.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/APT29 thinktanks.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Abuse.ch Recent Threat Feed (1).yaml	39
Hunting Queries/Microsoft 365 Defender/Campaigns/Abuse.ch Recent Threat Feed.yaml	66
Hunting Queries/Microsoft 365 Defender/Campaigns/Abusing settingcontent-ms.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Bazacall Emails.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Cobalt Strike Lateral Movement.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Dropping payload via certutil.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Excel Macro Execution.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Excel file download domain pattern.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Malicious Excel Delivery.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/NTDS theft.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Renamed Rclone Exfil.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/RunDLL Suspicious Network Connection.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazarloader/Stolen Images Execution.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazarloader/Zip-Doc - Creation of JPG Payload File.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Bear Activity GTR 2019.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Cloud Hopper.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/DofoilNameCoinServerTraffic.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Dopplepaymer In-Memory Malware Implant.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Dragon Fly.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/EUROPIUM/Identify EUROPIUM IOCs.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/EUROPIUM/Identify Microsoft Defender Antivirus detection related to EUROPIUM.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/EUROPIUM/Identify unusual identity additions related to EUROPIUM.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Elise backdoor.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Equation Group C2 Communication.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Hurricane Panda activity.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Judgement Panda exfil activity.yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/deimos-component-execution.yaml	20
Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-AVDetections.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-COMRegistryKeyModifiedtoPointtoColorProfileFolder.yaml	3
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-DomainIOCsJuly2022.yaml	20
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-DownloadingnewfileusingCurl.yaml	25
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-FileHashIOCsJuly2022.yaml	39
Hunting Queries/Microsoft 365 Defender/Campaigns/KNOTWEED/KNOTWEED-PEFileDroppedinColorProfileFolder.yaml	3
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-competition-killer.yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-component-download-structure.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-component-names.yaml	19
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-control-structure.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-defender-exclusions.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-email-subjects.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-id-generation.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/LemonDuck/LemonDuck-registration-function.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Alerts related to Log4j vulnerability.yaml	26
Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.yaml	38
Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious JScript staging comment.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious PowerShell curl flags.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/MacOceanLotusBackdoor.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/MacOceanLotusDropper.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Disable Controlled Folders.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Imminent Ransomware.yaml	38
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Inhibit recovery by disabling tools and functionality.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Mass account password change.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/PSExec Attrib commands.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/OceanLotus registry activity.yaml	20
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Excel launching anomalous processes.yaml	5
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/General attempts to access local email store.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot Craigslist Domains.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot email theft (1).yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot email theft.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot reconnaissance activities.yaml	19
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Alternate Data Streams use.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Backup deletion.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Cipher.exe tool deleting data.yaml	19
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Clearing of system logs.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Possible compromised accounts.yaml	34
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Robbinhood activity.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Turning off System Restore.yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Vulnerable Gigabyte drivers.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/StarBlizzardDomainIOCsAug2022.yaml	27
Hunting Queries/Microsoft 365 Defender/Campaigns/StrRAT malware/StrRAT-AV-Discovery.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/StrRAT malware/StrRAT-Email-Delivery.yaml	28
Hunting Queries/Microsoft 365 Defender/Campaigns/StrRAT malware/StrRAT-Malware-Persistence.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/app-armor-stopped.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/kinsing-miner-download.yaml	13
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/oracle-webLogic-executing-powershell.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/rce-on-vulnerable-server.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/Threat actor Phosphorus masquerading as conference organizers (1).yaml	4
Hunting Queries/Microsoft 365 Defender/Campaigns/Threat actor Phosphorus masquerading as conference organizers (2).yaml	4
Hunting Queries/Microsoft 365 Defender/Campaigns/Threat actor Phosphorus masquerading as conference organizers.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/WastedLocker Downloader.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/ZLoader/Malicious bat file.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/ZLoader/Payload Delivery.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/ZLoader/Suspicious Registry Keys.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/apt sofacy zebrocy.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/apt sofacy.yaml	15
Hunting Queries/Microsoft 365 Defender/Campaigns/apt ta17 293a ps.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/apt tropictrooper.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/apt unidentified nov 18 (1).yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/apt unidentified nov 18.yaml	14
Hunting Queries/Microsoft 365 Defender/Campaigns/c2-lookup-from-nonbrowser[Nobelium] (1).yaml	24
Hunting Queries/Microsoft 365 Defender/Campaigns/c2-lookup-from-nonbrowser[Nobelium].yaml	23
Hunting Queries/Microsoft 365 Defender/Campaigns/c2-lookup-response[Nobelium] (1).yaml	24
Hunting Queries/Microsoft 365 Defender/Campaigns/c2-lookup-response[Nobelium].yaml	23
Hunting Queries/Microsoft 365 Defender/Campaigns/cobalt-strike-invoked-w-wmi.yaml	38
Hunting Queries/Microsoft 365 Defender/Campaigns/compromised nvidia certificates[Lapsus$].yaml	27
Hunting Queries/Microsoft 365 Defender/Campaigns/compromised-certificate[Nobelium].yaml	26
Hunting Queries/Microsoft 365 Defender/Campaigns/confluence-weblogic-targeted.yaml	70
Hunting Queries/Microsoft 365 Defender/Campaigns/cypherpunk-exclusive-commands.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/cypherpunk-remote-exec-w-psexesvc.yaml	19
Hunting Queries/Microsoft 365 Defender/Campaigns/detect-cyzfc-activity (1).yaml	20
Hunting Queries/Microsoft 365 Defender/Campaigns/detect-cyzfc-activity (2).yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/detect-cyzfc-activity (3).yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/detect-cyzfc-activity (4).yaml	27
Hunting Queries/Microsoft 365 Defender/Campaigns/detect-cyzfc-activity.yaml	27
Hunting Queries/Microsoft 365 Defender/Campaigns/fireeye-red-team-tools-CVEs [Nobelium].yaml	43
Hunting Queries/Microsoft 365 Defender/Campaigns/fireeye-red-team-tools-HASHs [Nobelium].yaml	335
Hunting Queries/Microsoft 365 Defender/Campaigns/known-affected-software-orion[Nobelium].yaml	23
Hunting Queries/Microsoft 365 Defender/Campaigns/launching-base64-powershell[Nobelium].yaml	30
Hunting Queries/Microsoft 365 Defender/Campaigns/launching-cmd-echo[Nobelium].yaml	25
Hunting Queries/Microsoft 365 Defender/Campaigns/oceanlotus-apt32-files.yaml	98
Hunting Queries/Microsoft 365 Defender/Campaigns/oceanlotus-apt32-network.yaml	30
Hunting Queries/Microsoft 365 Defender/Campaigns/possible-affected-software-orion[Nobelium].yaml	25
Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml	21
Hunting Queries/Microsoft 365 Defender/Campaigns/robbinhood-driver.yaml	23
Hunting Queries/Microsoft 365 Defender/Campaigns/robbinhood-evasion.yaml	25
Hunting Queries/Microsoft 365 Defender/Campaigns/snip3-aviation-targeting-emails.yaml	24
Hunting Queries/Microsoft 365 Defender/Campaigns/snip3-detectsanboxie-function-call.yaml	16
Hunting Queries/Microsoft 365 Defender/Campaigns/snip3-encoded-powershell-structure.yaml	17
Hunting Queries/Microsoft 365 Defender/Campaigns/snip3-malicious-network-connectivity.yaml	18
Hunting Queries/Microsoft 365 Defender/Campaigns/snip3-revengerat-c2-exfiltration.yaml	16
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml	28
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml	34
Hunting Queries/Microsoft 365 Defender/Cloud Apps/file-download-events.yaml	28
Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml	20
Hunting Queries/Microsoft 365 Defender/Collection/Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].yaml	38
Hunting Queries/Microsoft 365 Defender/Collection/HostExportingMailboxAndRemovingExport[Solarigate].yaml	32
Hunting Queries/Microsoft 365 Defender/Collection/MailItemsAccessedTimeSeries[Solarigate].yaml	49
Hunting Queries/Microsoft 365 Defender/Command and Control/C2-NamedPipe.yaml	61
Hunting Queries/Microsoft 365 Defender/Command and Control/Connection to Rare DNS Hosts.yaml	31
Hunting Queries/Microsoft 365 Defender/Command and Control/DNSPattern [Nobelium].yaml	71
Hunting Queries/Microsoft 365 Defender/Command and Control/Device network events w low count FQDN.yaml	26
Hunting Queries/Microsoft 365 Defender/Command and Control/EncodedDomainURL [Nobelium].yaml	74
Hunting Queries/Microsoft 365 Defender/Command and Control/Tor.yaml	21
Hunting Queries/Microsoft 365 Defender/Command and Control/c2-bluekeep.yaml	28
Hunting Queries/Microsoft 365 Defender/Command and Control/check-for-shadowhammer-activity-download-domain.yaml	19
Hunting Queries/Microsoft 365 Defender/Command and Control/python-use-by-ransomware-macos.yaml	19
Hunting Queries/Microsoft 365 Defender/Command and Control/recon-with-rundll.yaml	25
Hunting Queries/Microsoft 365 Defender/Command and Control/reverse-shell-ransomware-macos.yaml	18
Hunting Queries/Microsoft 365 Defender/Credential Access/Active Directory Sensitive Group Modifications.yaml	64
Hunting Queries/Microsoft 365 Defender/Credential Access/Attempts to request Kerberos service ticket using the AS service.yaml	34
Hunting Queries/Microsoft 365 Defender/Credential Access/Private Key Files.yaml	27
Hunting Queries/Microsoft 365 Defender/Credential Access/cobalt-strike.yaml	5
Hunting Queries/Microsoft 365 Defender/Credential Access/doppelpaymer-procdump.yaml	27
Hunting Queries/Microsoft 365 Defender/Credential Access/identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.yaml	39
Hunting Queries/Microsoft 365 Defender/Credential Access/lazagne.yaml	29
Hunting Queries/Microsoft 365 Defender/Credential Access/logon-attempts-after-malicious-email.yaml	23
Hunting Queries/Microsoft 365 Defender/Credential Access/lsass-credential-dumping.yaml	30
Hunting Queries/Microsoft 365 Defender/Credential Access/procdump-lsass-credentials.yaml	22
Hunting Queries/Microsoft 365 Defender/Credential Access/wadhrama-credential-dump.yaml	21
Hunting Queries/Microsoft 365 Defender/Credential Access/wdigest-caching.yaml	32
Hunting Queries/Microsoft 365 Defender/Defense evasion/ADFSDomainTrustMods[Nobelium].yaml	45
Hunting Queries/Microsoft 365 Defender/Defense evasion/Discovering potentially tampered devices [Nobelium].yaml	9
Hunting Queries/Microsoft 365 Defender/Defense evasion/MailPermissionsAddedToApplication[Nobelium].yaml	48
Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].yaml	33
Hunting Queries/Microsoft 365 Defender/Defense evasion/UpdateStsRefreshToken[Solorigate].yaml	27
Hunting Queries/Microsoft 365 Defender/Defense evasion/alt-data-streams.yaml	26
Hunting Queries/Microsoft 365 Defender/Defense evasion/clear-system-logs.yaml	19
Hunting Queries/Microsoft 365 Defender/Defense evasion/deleting-data-w-cipher-tool.yaml	24
Hunting Queries/Microsoft 365 Defender/Defense evasion/doppelpaymer-stop-services.yaml	24
Hunting Queries/Microsoft 365 Defender/Defense evasion/hiding-java-class-file.yaml	18
Hunting Queries/Microsoft 365 Defender/Defense evasion/locate-files-possibly-signed-by-fraudulent-ecc-certificates.yaml	7
Hunting Queries/Microsoft 365 Defender/Defense evasion/qakbot-campaign-process-injection.yaml	21
Hunting Queries/Microsoft 365 Defender/Defense evasion/qakbot-campaign-self-deletion.yaml	22
Hunting Queries/Microsoft 365 Defender/Defense evasion/regsvr32-rundll32-image-loads-abnormal-extension.yaml	29
Hunting Queries/Microsoft 365 Defender/Defense evasion/regsvr32-rundll32-image-loads-from-abnormal-locations.yaml	39
Hunting Queries/Microsoft 365 Defender/Defense evasion/regsvr32-rundll32-with-anomalous-parent-process.yaml	30
Hunting Queries/Microsoft 365 Defender/Defense evasion/suspicious-base64-encoded-registry-keys.yaml	26
Hunting Queries/Microsoft 365 Defender/Defense evasion/suspicious-command-interpreters-added-to-registry.yaml	27
Hunting Queries/Microsoft 365 Defender/Defense evasion/suspicious-keywords-in-registry.yaml	21
Hunting Queries/Microsoft 365 Defender/Delivery/Doc attachment with link to download.yaml	55
Hunting Queries/Microsoft 365 Defender/Delivery/Dropbox downloads linked from other site.yaml	20
Hunting Queries/Microsoft 365 Defender/Delivery/Email link + download + SmartScreen warning.yaml	41
Hunting Queries/Microsoft 365 Defender/Delivery/Gootkit-malware.yaml	27
Hunting Queries/Microsoft 365 Defender/Delivery/Open email link.yaml	54
Hunting Queries/Microsoft 365 Defender/Delivery/Pivot from detections to related downloads.yaml	48
Hunting Queries/Microsoft 365 Defender/Delivery/Qakbot Craigslist Domains.yaml	13
Hunting Queries/Microsoft 365 Defender/Delivery/detect-jscript-file-creation.yaml	20
Hunting Queries/Microsoft 365 Defender/Delivery/powercat-download.yaml	23
Hunting Queries/Microsoft 365 Defender/Device Inventory/Anomalous Device Models.yaml	17
Hunting Queries/Microsoft 365 Defender/Device Inventory/Can Be Onboarded Devices.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/Commonality of Operating Systems.yaml	16
Hunting Queries/Microsoft 365 Defender/Device Inventory/Count and Percentage of DeviceType.yaml	21
Hunting Queries/Microsoft 365 Defender/Device Inventory/Devices By Specific DeviceType and DeviceSubtype.yaml	17
Hunting Queries/Microsoft 365 Defender/Device Inventory/Devices In Subnet - IPAddressV4.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/Devices In Subnet - IPAddressV6.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/Find Software By Name and Version.yaml	21
Hunting Queries/Microsoft 365 Defender/Device Inventory/Most Common Services.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/NotOnboarded Devices by DeviceName Prefix.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/NotOnboarded Devices by DeviceName Suffix.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/Seen Connected Networks.yaml	17
Hunting Queries/Microsoft 365 Defender/Device Inventory/Seen IPv4 Network Subnets.yaml	18
Hunting Queries/Microsoft 365 Defender/Device Inventory/Seen IPv6 Network Subnets.yaml	18
Hunting Queries/Microsoft 365 Defender/Discovery/ConnectedNetworkDeviceDiscovery.yaml	17
Hunting Queries/Microsoft 365 Defender/Discovery/Detect-Not-Active-AD-User-Accounts.yaml	15
Hunting Queries/Microsoft 365 Defender/Discovery/DetectTorRelayConnectivity.yaml	24
Hunting Queries/Microsoft 365 Defender/Discovery/DetectTorrentUse.yaml	13
Hunting Queries/Microsoft 365 Defender/Discovery/Discover hosts doing possible network scans.yaml	17
Hunting Queries/Microsoft 365 Defender/Discovery/Enumeration of users & groups for lateral movement.yaml	16
Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Find_deleted_accounts_and_by_whom.yaml	27
Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Group_Memebership_Changes.yaml	45
Hunting Queries/Microsoft 365 Defender/Discovery/MultipleLdaps.yaml	18
Hunting Queries/Microsoft 365 Defender/Discovery/MultipleSensitiveLdaps.yaml	36
Hunting Queries/Microsoft 365 Defender/Discovery/PasswordSearch.yaml	20
Hunting Queries/Microsoft 365 Defender/Discovery/Roasting.yaml	39
Hunting Queries/Microsoft 365 Defender/Discovery/SMB shares discovery.yaml	17
Hunting Queries/Microsoft 365 Defender/Discovery/SensitiveLdaps.yaml	15
Hunting Queries/Microsoft 365 Defender/Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].yaml	34
Hunting Queries/Microsoft 365 Defender/Discovery/URL Detection.yaml	12
Hunting Queries/Microsoft 365 Defender/Discovery/VulnComputers.yaml	19
Hunting Queries/Microsoft 365 Defender/Discovery/detect-nbtscan-activity.yaml	5
Hunting Queries/Microsoft 365 Defender/Discovery/detect-suspicious-commands-initiated-by-web-server-processes.yaml	33
Hunting Queries/Microsoft 365 Defender/Discovery/doppelpaymer.yaml	28
Hunting Queries/Microsoft 365 Defender/Discovery/qakbot-campaign-esentutl.yaml	6
Hunting Queries/Microsoft 365 Defender/Discovery/qakbot-campaign-outlook.yaml	19
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml	18
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml	23
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml	23
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml	29
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Email sender IP address Geo location information.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for Admin email access.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml	65
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml	33
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml	26
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml	30
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml	38
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Email bombing.yaml	12
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml	18
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml	30
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email bombing attacks.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml	40
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml	28
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml	26
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml	46
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml	40
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml	29
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml	35
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml	30
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml	26
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml	32
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml	31
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml	39
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible Teams phishing activity.yaml	34
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible device code phishing attempts.yaml	47
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml	24
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml	51
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml	36
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml	47
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml	26
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml	31
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml	47
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml	24
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/AIR investigation actions insight.yaml	35
Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml	35
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml	28
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml	24
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml	27
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml	25
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml	24
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml	23
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml	22
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml	20
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml	28
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml	21
Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml	6
Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml	23
Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml	20
Hunting Queries/Microsoft 365 Defender/Execution/Base64 Detector and Decoder.yaml	18
Hunting Queries/Microsoft 365 Defender/Execution/Base64encodePEFile.yaml	14
Hunting Queries/Microsoft 365 Defender/Execution/Bitsadmin Activity.yaml	39
Hunting Queries/Microsoft 365 Defender/Execution/Detect Encoded Powershell.yaml	14
Hunting Queries/Microsoft 365 Defender/Execution/Detect PowerShell v2 Downgrade.yaml	18
Hunting Queries/Microsoft 365 Defender/Execution/ExecuteBase64DecodedPayload.yaml	21
Hunting Queries/Microsoft 365 Defender/Execution/File Copy and Execution.yaml	32
Hunting Queries/Microsoft 365 Defender/Execution/Malware_In_recyclebin.yaml	16
Hunting Queries/Microsoft 365 Defender/Execution/Masquerading system executable.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/Possible Ransomware Related Destruction Activity.yaml	30
Hunting Queries/Microsoft 365 Defender/Execution/PowerShell downloads.yaml	22
Hunting Queries/Microsoft 365 Defender/Execution/PowershellCommand - uncommon commands on machine.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/PowershellCommand footprint.yaml	19
Hunting Queries/Microsoft 365 Defender/Execution/Webserver Executing Suspicious Applications.yaml	18
Hunting Queries/Microsoft 365 Defender/Execution/anomalous-payload-delivered-from-iso-file.yaml	34
Hunting Queries/Microsoft 365 Defender/Execution/check-for-shadowhammer-activity-implant.yaml	27
Hunting Queries/Microsoft 365 Defender/Execution/detect-anomalous-process-trees.yaml	93
Hunting Queries/Microsoft 365 Defender/Execution/detect-bluekeep-related-mining.yaml	27
Hunting Queries/Microsoft 365 Defender/Execution/detect-doublepulsar-execution.yaml	24
Hunting Queries/Microsoft 365 Defender/Execution/detect-exploitation-of-cve-2018-8653.yaml	25
Hunting Queries/Microsoft 365 Defender/Execution/detect-impacket-atexec.yaml	36
Hunting Queries/Microsoft 365 Defender/Execution/detect-impacket-dcomexec.yaml	42
Hunting Queries/Microsoft 365 Defender/Execution/detect-impacket-psexec-module.yaml	50
Hunting Queries/Microsoft 365 Defender/Execution/detect-impacket-wmiexec.yaml	45
Hunting Queries/Microsoft 365 Defender/Execution/detect-malicious-rar-extraction.yaml	7
Hunting Queries/Microsoft 365 Defender/Execution/detect-malicious-use-of-msiexec-mimikatz.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/detect-malicious-use-of-msiexec-msiexec.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/detect-malicious-use-of-msiexec-powershell.yaml	22
Hunting Queries/Microsoft 365 Defender/Execution/detect-office-apps-spawn-msdt-CVE-2022-30190.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/detect-office-products-spawning-wmic.yaml	20
Hunting Queries/Microsoft 365 Defender/Execution/detect-potential-kerberoast-activities.yaml	31
Hunting Queries/Microsoft 365 Defender/Execution/detect-suspicious-mshta-usage.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/detect-web-server-exploit-doublepulsar.yaml	72
Hunting Queries/Microsoft 365 Defender/Execution/exchange-iis-worker-dropping-webshell.yaml	4
Hunting Queries/Microsoft 365 Defender/Execution/jse-launched-by-word.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/launch-questd-w-osascript.yaml	20
Hunting Queries/Microsoft 365 Defender/Execution/locate-shlayer-payload-decryption-activity.yaml	5
Hunting Queries/Microsoft 365 Defender/Execution/locate-shlayer-payload-decrytion-activity.yaml	5
Hunting Queries/Microsoft 365 Defender/Execution/locate-surfbuyer-downloader-decoding-activity.yaml	18
Hunting Queries/Microsoft 365 Defender/Execution/office-apps-launching-wscipt.yaml	21
Hunting Queries/Microsoft 365 Defender/Execution/powershell-activity-after-email-from-malicious-sender.yaml	24
Hunting Queries/Microsoft 365 Defender/Execution/powershell-version-2.0-execution.yaml	17
Hunting Queries/Microsoft 365 Defender/Execution/python-based-attacks-on-macos.yaml	18
Hunting Queries/Microsoft 365 Defender/Execution/qakbot-campaign-suspicious-javascript.yaml	21
Hunting Queries/Microsoft 365 Defender/Execution/reverse-shell-nishang-base64.yaml	28
Hunting Queries/Microsoft 365 Defender/Execution/reverse-shell-nishang.yaml	23
Hunting Queries/Microsoft 365 Defender/Execution/sql-server-abuse.yaml	114
Hunting Queries/Microsoft 365 Defender/Execution/umworkerprocess-creating-webshell.yaml	4
Hunting Queries/Microsoft 365 Defender/Execution/umworkerprocess-unusual-subprocess-activity.yaml	23
Hunting Queries/Microsoft 365 Defender/Exfiltration/7-zip-prep-for-exfiltration.yaml	20
Hunting Queries/Microsoft 365 Defender/Exfiltration/Anomaly of MailItemAccess by GraphAPI [Nobelium].yaml	32
Hunting Queries/Microsoft 365 Defender/Exfiltration/Data copied to other location than C drive.yaml	19
Hunting Queries/Microsoft 365 Defender/Exfiltration/Files copied to USB drives.yaml	32
Hunting Queries/Microsoft 365 Defender/Exfiltration/MailItemsAccessed Throttling [Nobelium].yaml	24
Hunting Queries/Microsoft 365 Defender/Exfiltration/Map external devices (1).yaml	26
Hunting Queries/Microsoft 365 Defender/Exfiltration/Map external devices.yaml	36
Hunting Queries/Microsoft 365 Defender/Exfiltration/OAuth Apps accessing user mail via GraphAPI [Nobelium].yaml	23
Hunting Queries/Microsoft 365 Defender/Exfiltration/OAuth Apps reading mail both via GraphAPI and directly [Nobelium].yaml	42
Hunting Queries/Microsoft 365 Defender/Exfiltration/OAuth Apps reading mail via GraphAPI anomaly [Nobelium].yaml	27
Hunting Queries/Microsoft 365 Defender/Exfiltration/Password Protected Archive Creation.yaml	21
Hunting Queries/Microsoft 365 Defender/Exfiltration/Possible File Copy to USB Drive.yaml	26
Hunting Queries/Microsoft 365 Defender/Exfiltration/codeRepoExfil.yaml	14
Hunting Queries/Microsoft 365 Defender/Exfiltration/detect-archive-exfiltration-to-competitor.yaml	25
Hunting Queries/Microsoft 365 Defender/Exfiltration/detect-exfiltration-after-termination.yaml	26
Hunting Queries/Microsoft 365 Defender/Exfiltration/detect-steganography-exfiltration.yaml	37
Hunting Queries/Microsoft 365 Defender/Exfiltration/exchange-powershell-snapin-loaded.yaml	21
Hunting Queries/Microsoft 365 Defender/Exfiltration/unusual-volume-of-file-sharing.yaml	62
Hunting Queries/Microsoft 365 Defender/Exploits/AcroRd-Exploits.yaml	10
Hunting Queries/Microsoft 365 Defender/Exploits/CVE-2021-36934 usage detection.yaml	4
Hunting Queries/Microsoft 365 Defender/Exploits/CVE-2022-22965 Network Activity.yaml	17
Hunting Queries/Microsoft 365 Defender/Exploits/CVE-2022-26134-Confluence.yaml	23
Hunting Queries/Microsoft 365 Defender/Exploits/Electron-CVE-2018-1000006.yaml	25
Hunting Queries/Microsoft 365 Defender/Exploits/Flash-CVE-2018-4848.yaml	22
Hunting Queries/Microsoft 365 Defender/Exploits/Linux-DynoRoot-CVE-2018-1111.yaml	23
Hunting Queries/Microsoft 365 Defender/Exploits/MosaicLoader.yaml	15
Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Spoolsv Spawning Rundll32.yaml	17
Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Suspicious DLLs in spool folder.yaml	19
Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Suspicious Spoolsv Child Process.yaml	35
Hunting Queries/Microsoft 365 Defender/Exploits/Print Spooler RCE/Suspicious files in spool folder.yaml	15
Hunting Queries/Microsoft 365 Defender/Exploits/SolarWinds -CVE-2021-35211.yaml	4
Hunting Queries/Microsoft 365 Defender/Exploits/VMWare-LPE-2022-22960.yaml	25
Hunting Queries/Microsoft 365 Defender/Exploits/print-pooler-service-suspicious-file-creation.yaml	23
Hunting Queries/Microsoft 365 Defender/Exploits/printnightmare-cve-2021-1675 usage detection (1).yaml	6
Hunting Queries/Microsoft 365 Defender/Exploits/printnightmare-cve-2021-1675 usage detection.yaml	6
Hunting Queries/Microsoft 365 Defender/Exploits/winrar-cve-2018-20250-ace-files.yaml	23
Hunting Queries/Microsoft 365 Defender/Exploits/winrar-cve-2018-20250-file-creation.yaml	5
Hunting Queries/Microsoft 365 Defender/Fun/EmojiHunt.yaml	18
Hunting Queries/Microsoft 365 Defender/Fun/Make FolderPath Vogon Poetry.yaml	52
Hunting Queries/Microsoft 365 Defender/General queries/Alert Events from Internal IP Address.yaml	28
Hunting Queries/Microsoft 365 Defender/General queries/AppLocker Policy Design Assistant.yaml	45
Hunting Queries/Microsoft 365 Defender/General queries/Baseline Comparison.yaml	257
Hunting Queries/Microsoft 365 Defender/General queries/Crashing Applications.yaml	22
Hunting Queries/Microsoft 365 Defender/General queries/Detect Azure RemoteIP.yaml	33
Hunting Queries/Microsoft 365 Defender/General queries/Device Count by DNS Suffix.yaml	17
Hunting Queries/Microsoft 365 Defender/General queries/Device uptime calculation.yaml	22
Hunting Queries/Microsoft 365 Defender/General queries/Endpoint Agent Health Status Report.yaml	106
Hunting Queries/Microsoft 365 Defender/General queries/Events surrounding alert (1).yaml	27
Hunting Queries/Microsoft 365 Defender/General queries/Events surrounding alert (2).yaml	23
Hunting Queries/Microsoft 365 Defender/General queries/Events surrounding alert (3).yaml	27
Hunting Queries/Microsoft 365 Defender/General queries/Events surrounding alert.yaml	19
Hunting Queries/Microsoft 365 Defender/General queries/Failed Logon Attempt.yaml	18
Hunting Queries/Microsoft 365 Defender/General queries/File footprint (1).yaml	19
Hunting Queries/Microsoft 365 Defender/General queries/File footprint.yaml	25
Hunting Queries/Microsoft 365 Defender/General queries/Firewall Policy Design Assistant.yaml	68
Hunting Queries/Microsoft 365 Defender/General queries/Linux Agent Age Report.yaml	27
Hunting Queries/Microsoft 365 Defender/General queries/MD AV Signature and Platform Version.yaml	27
Hunting Queries/Microsoft 365 Defender/General queries/MITRE - Suspicious Events.yaml	70
Hunting Queries/Microsoft 365 Defender/General queries/Machine info from IP address (1).yaml	32
Hunting Queries/Microsoft 365 Defender/General queries/Machine info from IP address (2).yaml	19
Hunting Queries/Microsoft 365 Defender/General queries/Machine info from IP address (3).yaml	22
Hunting Queries/Microsoft 365 Defender/General queries/Machine info from IP address.yaml	23
Hunting Queries/Microsoft 365 Defender/General queries/Network footprint (1).yaml	20
Hunting Queries/Microsoft 365 Defender/General queries/Network footprint (2).yaml	17
Hunting Queries/Microsoft 365 Defender/General queries/Network footprint (3).yaml	16
Hunting Queries/Microsoft 365 Defender/General queries/Network footprint.yaml	15
Hunting Queries/Microsoft 365 Defender/General queries/Network info of machine.yaml	22
Hunting Queries/Microsoft 365 Defender/General queries/Phish and Malware received by user vs total amount of email.yaml	15
Hunting Queries/Microsoft 365 Defender/General queries/Services.yaml	12
Hunting Queries/Microsoft 365 Defender/General queries/System Guard Security Level Baseline.yaml	19
Hunting Queries/Microsoft 365 Defender/General queries/System Guard Security Level Drop.yaml	30
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (1).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (10).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (11).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (12).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (13).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (14).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (15).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (16).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (17).yaml	39
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (18).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (19).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (2).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (3).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (4).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (5).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (6).yaml	26
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (7).yaml	28
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (8).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries (9).yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/insider-threat-detection-queries.yaml	10
Hunting Queries/Microsoft 365 Defender/General queries/wifikeys.yaml	17
Hunting Queries/Microsoft 365 Defender/Impact/backup-deletion.yaml	19
Hunting Queries/Microsoft 365 Defender/Impact/ransom-note-creation-macos.yaml	18
Hunting Queries/Microsoft 365 Defender/Impact/turn-off-system-restore.yaml	27
Hunting Queries/Microsoft 365 Defender/Impact/unusual-volume-of-file-deletion.yaml	74
Hunting Queries/Microsoft 365 Defender/Impact/wadhrama-data-destruction.yaml	22
Hunting Queries/Microsoft 365 Defender/Initial access/ActiveDirectory_Account_lockout_and_unlocks.yaml	25
Hunting Queries/Microsoft 365 Defender/Initial access/Check for Maalware Baazar (abuse.ch) hashes in your mail flow.yaml	22
Hunting Queries/Microsoft 365 Defender/Initial access/Non_intended_user_logon.yaml	28
Hunting Queries/Microsoft 365 Defender/Initial access/PhishingEmailUrlRedirector.yaml	5
Hunting Queries/Microsoft 365 Defender/Initial access/SuspiciousUrlClicked.yaml	18
Hunting Queries/Microsoft 365 Defender/Initial access/User navigation to redirected URL.yaml	48
Hunting Queries/Microsoft 365 Defender/Initial access/detect-bluekeep-exploitation-attempts.yaml	25
Hunting Queries/Microsoft 365 Defender/Initial access/detect-mailsniper.yaml	57
Hunting Queries/Microsoft 365 Defender/Initial access/files-from-malicious-sender.yaml	20
Hunting Queries/Microsoft 365 Defender/Initial access/identify-potential-missed-phishing-email-campaigns.yaml	17
Hunting Queries/Microsoft 365 Defender/Initial access/jar-attachments.yaml	20
Hunting Queries/Microsoft 365 Defender/Lateral Movement/Account brute force (1).yaml	26
Hunting Queries/Microsoft 365 Defender/Lateral Movement/Account brute force.yaml	23
Hunting Queries/Microsoft 365 Defender/Lateral Movement/Device Logons from Unknown IPs.yaml	26
Hunting Queries/Microsoft 365 Defender/Lateral Movement/ImpersonatedUserFootprint.yaml	35
Hunting Queries/Microsoft 365 Defender/Lateral Movement/Network Logons with Local Accounts.yaml	16
Hunting Queries/Microsoft 365 Defender/Lateral Movement/Non-local logons with -500 account.yaml	13
Hunting Queries/Microsoft 365 Defender/Lateral Movement/ServiceAccountsPerformingRemotePS.yaml	55
Hunting Queries/Microsoft 365 Defender/Lateral Movement/detect-suspicious-rdp-connections.yaml	41
Hunting Queries/Microsoft 365 Defender/Lateral Movement/doppelpaymer-psexec.yaml	26
Hunting Queries/Microsoft 365 Defender/Lateral Movement/remote-file-creation-with-psexec.yaml	38
Hunting Queries/Microsoft 365 Defender/Network/Defender for Endpoint Telemetry.yaml	24
Hunting Queries/Microsoft 365 Defender/Persistence/Accessibility Features.yaml	46
Hunting Queries/Microsoft 365 Defender/Persistence/AddedCredentialFromContryXAndSigninFromCountryY.yaml	5
Hunting Queries/Microsoft 365 Defender/Persistence/Create account (1).yaml	21
Hunting Queries/Microsoft 365 Defender/Persistence/Create account.yaml	30
Hunting Queries/Microsoft 365 Defender/Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].yaml	36
Hunting Queries/Microsoft 365 Defender/Persistence/LocalAdminGroupChanges.yaml	46
Hunting Queries/Microsoft 365 Defender/Persistence/NewAppOrServicePrincipalCredential[Nobelium].yaml	48
Hunting Queries/Microsoft 365 Defender/Persistence/Possible webshell drop.yaml	4
Hunting Queries/Microsoft 365 Defender/Persistence/Rare-process-as-a-service.yaml	60
Hunting Queries/Microsoft 365 Defender/Persistence/detect-impacket-wmipersist.yaml	23
Hunting Queries/Microsoft 365 Defender/Persistence/detect-prifou-pua.yaml	27
Hunting Queries/Microsoft 365 Defender/Persistence/localAdminAccountLogon.yaml	13
Hunting Queries/Microsoft 365 Defender/Persistence/multipleAADAdminsRemovals.yaml	29
Hunting Queries/Microsoft 365 Defender/Persistence/qakbot-campaign-registry-edit.yaml	21
Hunting Queries/Microsoft 365 Defender/Persistence/rare_sch_task_launch.yaml	45
Hunting Queries/Microsoft 365 Defender/Persistence/rare_sch_task_with_activity.yaml	28
Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToDeviceRegistration.yaml	37
Hunting Queries/Microsoft 365 Defender/Persistence/riskySignInToNewMFAMethod.yaml	34
Hunting Queries/Microsoft 365 Defender/Persistence/sch_task_creation.yaml	45
Hunting Queries/Microsoft 365 Defender/Persistence/scheduled task creation.yaml	13
Hunting Queries/Microsoft 365 Defender/Persistence/wadhrama-ransomware.yaml	38
Hunting Queries/Microsoft 365 Defender/Privilege escalation/Add uncommon credential type to application [Nobelium].yaml	5
Hunting Queries/Microsoft 365 Defender/Privilege escalation/SAM-Name-Changes-CVE-2021-42278.yaml	20
Hunting Queries/Microsoft 365 Defender/Privilege escalation/ServicePrincipalAddedToRole [Nobelium].yaml	5
Hunting Queries/Microsoft 365 Defender/Privilege escalation/cve-2019-0808-c2.yaml	24
Hunting Queries/Microsoft 365 Defender/Privilege escalation/cve-2019-0808-nufsys-file creation.yaml	28
Hunting Queries/Microsoft 365 Defender/Privilege escalation/cve-2019-0808-set-scheduled-task.yaml	26
Hunting Queries/Microsoft 365 Defender/Privilege escalation/dell-driver-vulnerability-2021.yaml	5
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-av-edr-privileged-delete-vulnerability.yaml	25
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.yaml	26
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-cve-2019-0973-installerbypass-exploit.yaml	26
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-cve-2019-1053-sandboxescape-exploit.yaml	25
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-cve-2019-1069-bearlpe-exploit.yaml	32
Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-cve-2019-1129-byebear-exploit.yaml	27
Hunting Queries/Microsoft 365 Defender/Privilege escalation/locate-ALPC-local-privilege-elevation-exploit.yaml	23
Hunting Queries/Microsoft 365 Defender/Privilege escalation/riskySignInToElevateAccess.yaml	28
Hunting Queries/Microsoft 365 Defender/Protection events/AV Detections with Source.yaml	25
Hunting Queries/Microsoft 365 Defender/Protection events/AV Detections with USB Disk Drive.yaml	28
Hunting Queries/Microsoft 365 Defender/Protection events/Antivirus detections (1).yaml	24
Hunting Queries/Microsoft 365 Defender/Protection events/Antivirus detections.yaml	19
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardASRStats (1).yaml	14
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardASRStats (2).yaml	13
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardASRStats.yaml	13
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardAsrDescriptions.yaml	55
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess (1).yaml	29
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess (2).yaml	29
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess (3).yaml	29
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess.yaml	21
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardControlledFolderAccess (1).yaml	14
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardControlledFolderAccess (2).yaml	17
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardControlledFolderAccess.yaml	13
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardNetworkProtectionEvents.yaml	15
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardStats (1).yaml	13
Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardStats.yaml	13
Hunting Queries/Microsoft 365 Defender/Protection events/PUA ThreatName per Computer.yaml	16
Hunting Queries/Microsoft 365 Defender/Protection events/SmartScreen URL block ignored by user.yaml	38
Hunting Queries/Microsoft 365 Defender/Protection events/SmartScreen app block ignored by user.yaml	34
Hunting Queries/Microsoft 365 Defender/Protection events/Windows filtering events (Firewall).yaml	16
Hunting Queries/Microsoft 365 Defender/Ransomware/ASR--Rule-Ransomware-triggered.yaml	31
Hunting Queries/Microsoft 365 Defender/Ransomware/Backup deletion.yaml	16
Hunting Queries/Microsoft 365 Defender/Ransomware/Check for multiple signs of ransomware activity.yaml	85
Hunting Queries/Microsoft 365 Defender/Ransomware/Clearing of forensic evidence from event logs using wevtutil.yaml	17
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Add malicious user to Admins and RDP users group via PowerShell.yaml	14
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Create new user with known DEV-0270 username and password.yaml	16
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/DLLHost.exe WMIC domain discovery.yaml	14
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/DLLHost.exe file creation via PowerShell.yaml	14
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Disabling Services via Registry.yaml	15
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Email data exfiltration via PowerShell.yaml	14
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Modifying the registry to add a ransom message notification.yaml	13
Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/PowerShell adding exclusion path for Microsoft Defender of ProgramData.yaml	13
Hunting Queries/Microsoft 365 Defender/Ransomware/DarkSide.yaml	13
Hunting Queries/Microsoft 365 Defender/Ransomware/Deletion of data on multiple drives using cipher exe.yaml	21
Hunting Queries/Microsoft 365 Defender/Ransomware/Discovery for highly-privileged accounts.yaml	20
Hunting Queries/Microsoft 365 Defender/Ransomware/Distribution from remote location.yaml	18
Hunting Queries/Microsoft 365 Defender/Ransomware/Fake Replies.yaml	21
Hunting Queries/Microsoft 365 Defender/Ransomware/File Backup Deletion Alerts.yaml	15
Hunting Queries/Microsoft 365 Defender/Ransomware/Gootkit File Delivery.yaml	23
Hunting Queries/Microsoft 365 Defender/Ransomware/HTA Startup Persistence.yaml	14
Hunting Queries/Microsoft 365 Defender/Ransomware/IcedId Delivery.yaml	15
Hunting Queries/Microsoft 365 Defender/Ransomware/IcedId attachments.yaml	21
Hunting Queries/Microsoft 365 Defender/Ransomware/IcedId email delivery.yaml	17
Hunting Queries/Microsoft 365 Defender/Ransomware/LaZagne Credential Theft.yaml	15
Hunting Queries/Microsoft 365 Defender/Ransomware/Potential ransomware activity related to Cobalt Strike.yaml	40
Hunting Queries/Microsoft 365 Defender/Ransomware/Qakbot discovery activies.yaml	21
Hunting Queries/Microsoft 365 Defender/Ransomware/Sticky Keys.yaml	13
Hunting Queries/Microsoft 365 Defender/Ransomware/Stopping multiple processes using taskkill.yaml	17
Hunting Queries/Microsoft 365 Defender/Ransomware/Stopping processes using net stop.yaml	17
Hunting Queries/Microsoft 365 Defender/Ransomware/Suspicious Bitlocker Encryption.yaml	4
Hunting Queries/Microsoft 365 Defender/Ransomware/Suspicious Google Doc Links.yaml	19
Hunting Queries/Microsoft 365 Defender/Ransomware/Suspicious Image Load related to IcedId.yaml	15
Hunting Queries/Microsoft 365 Defender/Ransomware/Turning off System Restore.yaml	21
Hunting Queries/Microsoft 365 Defender/Ransomware/Turning off services using sc exe.yaml	17
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Action1_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Action1_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Action1_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Addigy_netconn.yaml	35
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AeroAdmin_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AeroAdmin_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AeroAdmin_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Ammyy_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Ammyy_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Ammyy_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyDesk_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyDesk_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyDesk_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyViewer_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyViewer_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyViewer_netconn.yaml	28
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Atera_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Atera_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Atera_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AweSun_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AweSun_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AweSun_netconn.yaml	28
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BarracudaRMM_createproc.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BarracudaRMM_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BarracudaRMM_netconn.yaml	28
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BeyondTrust_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BeyondTrust_filesig.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BeyondTrust_netconn.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ChromeRDP_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ChromeRDP_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ConnectWise_createproc.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ConnectWise_filesig.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ConnectWise_netconn.yaml	31
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DWService_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DameWare_createproc.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DameWare_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DameWare_netconn.yaml	33
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DattoRMM_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DattoRMM_netconn.yaml	35
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DesktopNow_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DesktopNow_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DesktopNow_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DistantDesktop_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DistantDesktop_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DistantDesktop_netconn.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_FleetDeck_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_FleetDeck_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_FleetDeck_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_GetScreen_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_GetScreen_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_GetScreen_netconn.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ISLOnline_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ISLOnline_filesig.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ISLOnline_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_IperiusRemote_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_IperiusRemote_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_IperiusRemote_netconn.yaml	27
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Kaseya_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Kaseya_netconn.yaml	28
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Level_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Level_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Level_netconn.yaml	27
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LiteManager_createproc.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LiteManager_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LiteManager_netconn.yaml	29
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LogMeIn_createproc.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LogMeIn_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_LogMeIn_netconn.yaml	38
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MSP360_CloudBerry_createproc.yaml	30
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MSP360_CloudBerry_filesig.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MSP360_CloudBerry_netconn.yaml	31
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MeshCentral_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MeshCentral_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MeshCentral_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NAble_createproc.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NAble_filesig.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NAble_netconn.yaml	38
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Naverisk_createproc.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Naverisk_filesig.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Naverisk_netconn.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NetSupport_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NetSupport_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NetSupport_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NinjaRMM_createproc.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NinjaRMM_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NinjaRMM_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_OptiTune_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_OptiTune_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_OptiTune_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PDQ_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PDQ_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PDQ_netconn.yaml	27
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Panorama9_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Panorama9_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Panorama9_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PcVisit_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PcVisit_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_PcVisit_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Pulseway_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Pulseway_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Pulseway_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RPort_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RPort_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RealVNC_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RealVNC_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RealVNC_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteDesktopPlus_createproc.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteDesktopPlus_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemotePC_createproc.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemotePC_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemotePC_netconn.yaml	27
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteUtilities_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteUtilities_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteUtilities_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RustDesk_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RustDesk_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ScreenMeet_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ScreenMeet_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ScreenMeet_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ServerEye_createproc.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ServerEye_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ServerEye_netconn.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ShowMyPC_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ShowMyPC_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ShowMyPC_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SimpleHelp_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SimpleHelp_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SimpleHelp_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Splashtop_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Splashtop_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Splashtop_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SupRemo_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SupRemo_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SupRemo_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SyncroMSP_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SyncroMSP_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SyncroMSP_netconn.yaml	26
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TacticalRMM_createproc.yaml	24
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TacticalRMM_filesig.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TacticalRMM_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TeamViewer_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TeamViewer_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TeamViewer_netconn.yaml	25
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TigerVNC_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TigerVNC_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TightVNC_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TightVNC_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TightVNC_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_UltraViewer_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_UltraViewer_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_UltraViewer_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_XMReality_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_XMReality_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_XMReality_netconn.yaml	23
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ZohoAssist_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ZohoAssist_filesig.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ZohoAssist_netconn.yaml	42
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm__all_netconn.yaml	185
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_mRemoteNG_createproc.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_mRemoteNG_netconn.yaml	22
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_parsec.app_createproc.yaml	21
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_parsec.app_filesig.yaml	20
Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_parsec.app_netconn.yaml	31
Hunting Queries/Microsoft 365 Defender/TVM/Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities.yaml	56
Hunting Queries/Microsoft 365 Defender/TVM/Microsoft Defender AV details.yaml	39
Hunting Queries/Microsoft 365 Defender/TVM/Microsoft Defender AV mode device count.yaml	11
Hunting Queries/Microsoft 365 Defender/TVM/Microsoft Defender Anti virus Engine details.yaml	23
Hunting Queries/Microsoft 365 Defender/TVM/Microsoft Defender Anti virus Platform details.yaml	23
Hunting Queries/Microsoft 365 Defender/TVM/Microsoft Defender Anti virus Security Intelligence details.yaml	24
Hunting Queries/Microsoft 365 Defender/TVM/devices_with_vuln_and_users_received_payload (1).yaml	25
Hunting Queries/Microsoft 365 Defender/TVM/devices_with_vuln_and_users_received_payload.yaml	36
Hunting Queries/Microsoft 365 Defender/Troubleshooting/Connectivity Failures by Device.yaml	87
Hunting Queries/Microsoft 365 Defender/Troubleshooting/Connectivity Failures by Domain.yaml	25
Hunting Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml	52
Hunting Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml	43
Hunting Queries/MultipleDataSources/ApplicationGrantedEWSPermissions.yaml	4
Hunting Queries/MultipleDataSources/AzureResourceAssignedPublicIP.yaml	4
Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml	115
Hunting Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml	70
Hunting Queries/MultipleDataSources/BackupDeletion.yaml	4
Hunting Queries/MultipleDataSources/CobaltDNSBeacon.yaml	4
Hunting Queries/MultipleDataSources/CriticalOperationsWithSystemrestore.yaml	103
Hunting Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml	4
Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml	4
Hunting Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml	4
Hunting Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml	4
Hunting Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml	4
Hunting Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml	39
Hunting Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn-UEBA.yaml	48
Hunting Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml	48
Hunting Queries/MultipleDataSources/DownloadofNewFileUsingCurl.yaml	57
Hunting Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml	36
Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml	83
Hunting Queries/MultipleDataSources/FireEyeRedTeamComms.yaml	99
Hunting Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml	145
Hunting Queries/MultipleDataSources/ForestBlizzard_IOC_RetroHunt.yaml	4
Hunting Queries/MultipleDataSources/HighRiskSignInAroundAuthMethodOrDeviceRegistration.yaml	61
Hunting Queries/MultipleDataSources/LogonwithExpiredAccount.yaml	78
Hunting Queries/MultipleDataSources/MailForwardingActivityFromNewLocation.yaml	75
Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml	4
Hunting Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml	4
Hunting Queries/MultipleDataSources/NonCompliantSigninwithBulkDownload.yaml	48
Hunting Queries/MultipleDataSources/NylonTyphoonCommandLineActivity-Nov2021.yaml	4
Hunting Queries/MultipleDataSources/NylonTyphoonRegIOCPatterns.yaml	4
Hunting Queries/MultipleDataSources/PermutationsOnLogonNames.yaml	124
Hunting Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml	4
Hunting Queries/MultipleDataSources/PossibleCommandInjectionagainstAzureIR.yaml	89
Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml	4
Hunting Queries/MultipleDataSources/PotentialSSHTunneltoAADConnectHost.yaml	34
Hunting Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml	34
Hunting Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml	36
Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml	113
Hunting Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml	107
Hunting Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml	46
Hunting Queries/MultipleDataSources/SQLAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	56
Hunting Queries/MultipleDataSources/SolarWindsInventory.yaml	4
Hunting Queries/MultipleDataSources/StorageAccountKeyEnumerationWithSigninandAuditlogs.yaml	58
Hunting Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandAuditLogs.yaml	61
Hunting Queries/MultipleDataSources/StorageAlertCorrelationwithCommonSecurityLogsandStorageLogs.yaml	50
Hunting Queries/MultipleDataSources/SuspiciousActivitiesRelatedToConfidentialDocuments.yaml	45
Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml	87
Hunting Queries/MultipleDataSources/TrackingPrivAccounts.yaml	187
Hunting Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml	60
Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml	4
Hunting Queries/MultipleDataSources/UserGrantedAccess_CreatesResources.yaml	87
Hunting Queries/MultipleDataSources/UseragentExploitPentest.yaml	4
Hunting Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml	4
Hunting Queries/OfficeActivity/ExternalUserAddedRemovedInTeams_HuntVersion.yaml	4
Hunting Queries/OfficeActivity/ExternalUserFromNewOrgAddedToTeams.yaml	4
Hunting Queries/OfficeActivity/Mail_redirect_via_ExO_transport_rule_hunting.yaml	4
Hunting Queries/OfficeActivity/MultiTeamBot.yaml	4
Hunting Queries/OfficeActivity/MultiTeamOwner.yaml	4
Hunting Queries/OfficeActivity/MultipleTeamsDeletes.yaml	4
Hunting Queries/OfficeActivity/MultipleUsersEmailForwardedToSameDestination.yaml	4
Hunting Queries/OfficeActivity/NewBotAddedToTeams.yaml	3
Hunting Queries/OfficeActivity/New_WindowsReservedFileNamesOnOfficeFileServices.yaml	4
Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml	4
Hunting Queries/OfficeActivity/TeamsFilesUploaded.yaml	4
Hunting Queries/OfficeActivity/UserAddToTeamsAndUploadsFile.yaml	4
Hunting Queries/OfficeActivity/WindowsReservedFileNamesOnOfficeFileServices.yaml	4
Hunting Queries/OfficeActivity/double_file_ext_exes.yaml	4
Hunting Queries/OfficeActivity/new_adminaccountactivity.yaml	4
Hunting Queries/OfficeActivity/new_sharepoint_downloads_by_IP.yaml	4
Hunting Queries/OfficeActivity/new_sharepoint_downloads_by_UserAgent.yaml	4
Hunting Queries/OfficeActivity/nonowner_MailboxLogin.yaml	4
Hunting Queries/OfficeActivity/powershell_or_nonbrowser_MailboxLogin.yaml	4
Hunting Queries/OfficeActivity/sharepoint_downloads.yaml	4
Hunting Queries/ProofpointPOD/ProofpointPODHighScoreAdultValue.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODHighScoreMalwareValue.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODHighScorePhishValue.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODHighScoreSpamValue.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODHighScoreSuspectValue.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODLargeOutboundEmails.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODRecipientsHighNumberDiscardReject.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODRecipientsLargeNumberOfCorruptedEmails.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODSendersLargeNumberOfCorruptedEmails.yaml	3
Hunting Queries/ProofpointPOD/ProofpointPODSuspiciousFileTypesInAttachments.yaml	3
Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml	4
Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml	4
Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml	4
Hunting Queries/SQLServer/SQL-New_UserCreated.yaml	4
Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml	4
Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml	4
Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml	4
Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml	4
Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml	4
Hunting Queries/SecurityAlert/AlertsForIP.yaml	48
Hunting Queries/SecurityAlert/AlertsForUser.yaml	37
Hunting Queries/SecurityAlert/AlertsOnHost.yaml	44
Hunting Queries/SecurityAlert/AlertsWithFile.yaml	42
Hunting Queries/SecurityAlert/AlertsWithProcess.yaml	41
Hunting Queries/SecurityAlert/WebShellCommandAlertEnrich.yaml	81
Hunting Queries/SecurityAlert/WebShellFileAlertEnrich.yaml	45
Hunting Queries/SecurityEvent/ADAccountLockouts.yaml	17
Hunting Queries/SecurityEvent/ADFSDBLocalSqlStatements.yaml	36
Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml	4
Hunting Queries/SecurityEvent/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml	4
Hunting Queries/SecurityEvent/Crashdumpdisabledonhost.yaml	4
Hunting Queries/SecurityEvent/CustomUserList_FailedLogons.yaml	4
Hunting Queries/SecurityEvent/DecoyUserAccountAuthenticationAttempt.yaml	4
Hunting Queries/SecurityEvent/Discorddownloadinvokedfromcmdline.yaml	4
Hunting Queries/SecurityEvent/ExchangePowerShellSnapin.yaml	4
Hunting Queries/SecurityEvent/ExternalIPaddressinCommandLine.yaml	46
Hunting Queries/SecurityEvent/FailedUserLogons.yaml	4
Hunting Queries/SecurityEvent/FakeComputerAccountAuthenticationAttempt.yaml	18
Hunting Queries/SecurityEvent/FileExecutionWithOneCharacterInTheName.yaml	4
Hunting Queries/SecurityEvent/GroupAddedToPrivlegeGroup.yaml	4
Hunting Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml	4
Hunting Queries/SecurityEvent/HostsWithNewLogons.yaml	4
Hunting Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml	4
Hunting Queries/SecurityEvent/LargeScaleMalwareDeploymentGPOScheduledTask.yaml	19
Hunting Queries/SecurityEvent/Least_Common_Parent_Child_Process.yaml	4
Hunting Queries/SecurityEvent/Least_Common_Process_Command_Lines.yaml	4
Hunting Queries/SecurityEvent/Least_Common_Process_With_Depth.yaml	4
Hunting Queries/SecurityEvent/MSRPRN_Printer_Bug_Exploitation.yaml	4
Hunting Queries/SecurityEvent/MultipleExplicitCredentialUsage4648Events.yaml	4
Hunting Queries/SecurityEvent/NewChildProcessOfW3WP.yaml	4
Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml	4
Hunting Queries/SecurityEvent/PotentialImpacketExecution.yaml	4
Hunting Queries/SecurityEvent/PotentialLocalExploitationForPrivilegeEscalation.yaml	19
Hunting Queries/SecurityEvent/PotentialProcessDoppelganging.yaml	34
Hunting Queries/SecurityEvent/PowerCatDownload.yaml	4
Hunting Queries/SecurityEvent/ProcessEntropy.yaml	4
Hunting Queries/SecurityEvent/RIDHijacking.yaml	19
Hunting Queries/SecurityEvent/RareProcbyServiceAccount.yaml	4
Hunting Queries/SecurityEvent/RareProcessPath.yaml	4
Hunting Queries/SecurityEvent/RareProcessWithCmdLine.yaml	4
Hunting Queries/SecurityEvent/RareProcess_forWinHost.yaml	4
Hunting Queries/SecurityEvent/RemoteLoginPerformedwithWMI.yaml	4
Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe.yaml	4
Hunting Queries/SecurityEvent/RemoteScheduledTaskCreationUpdateviaSchtasks.yaml	19
Hunting Queries/SecurityEvent/ScheduledTaskCreationUpdateFromUserWritableDrectory.yaml	4
Hunting Queries/SecurityEvent/ServiceInstallationFromUsersWritableDirectory.yaml	4
Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml	4
Hunting Queries/SecurityEvent/SuspectedLSASSDump.yaml	4
Hunting Queries/SecurityEvent/Suspicious_Windows_Login_outside_normal_hours.yaml	4
Hunting Queries/SecurityEvent/Suspicious_enumeration_using_adfind.yaml	4
Hunting Queries/SecurityEvent/User Logons By Logon Type.yaml	4
Hunting Queries/SecurityEvent/UserAccountAddedToPrivlegeGroup.yaml	4
Hunting Queries/SecurityEvent/UserAccountCreatedDeleted.yaml	4
Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.yaml	4
Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.yaml	4
Hunting Queries/SecurityEvent/UsersOpenReadDeviceIdentityKey.yaml	42
Hunting Queries/SecurityEvent/VIPAccountFailedLogons.yaml	4
Hunting Queries/SecurityEvent/WindowsSystemShutdown-Reboot.yaml	35
Hunting Queries/SecurityEvent/WindowsSystemTimeChange.yaml	4
Hunting Queries/SecurityEvent/cscript_summary.yaml	4
Hunting Queries/SecurityEvent/enumeration_user_and_group.yaml	4
Hunting Queries/SecurityEvent/hunt_LOLBins.yaml	37
Hunting Queries/SecurityEvent/masquerading_files.yaml	4
Hunting Queries/SecurityEvent/new_processes.yaml	4
Hunting Queries/SecurityEvent/persistence_create_account.yaml	4
Hunting Queries/SecurityEvent/powershell_downloads.yaml	4
Hunting Queries/SecurityEvent/powershell_newencodedscipts.yaml	4
Hunting Queries/SecurityEvent/uncommon_processes.yaml	4
Hunting Queries/SigninLogs/AADSuspectedBruteForce.yaml	39
Hunting Queries/SigninLogs/AdministratorsAuthenticatingtoAnotherAzureADTenant.yaml	41
Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml	9
Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml	11
Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.yaml	4
Hunting Queries/SigninLogs/DisabledAccountSigninAttemptsByIP.yaml	4
Hunting Queries/SigninLogs/InactiveAccounts.yaml	93
Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml	75
Hunting Queries/SigninLogs/LowAndSlowPasswordAttempt.yaml	37
Hunting Queries/SigninLogs/MFASpamming.yaml	44
Hunting Queries/SigninLogs/MFAUserBlocked.yaml	101
Hunting Queries/SigninLogs/SignInLogsWithExpandedPolicies.yaml	43
Hunting Queries/SigninLogs/Signins-From-VPS-Providers.yaml	4
Hunting Queries/SigninLogs/Signins-from-NordVPN-Providers.yaml	4
Hunting Queries/SigninLogs/SmartLockouts.yaml	26
Hunting Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml	42
Hunting Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml	65
Hunting Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml	58
Hunting Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml	4
Hunting Queries/SigninLogs/UnauthUser_AzurePortal.yaml	17
Hunting Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml	50
Hunting Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml	66
Hunting Queries/SigninLogs/anomalous_app_azuread_signin.yaml	54
Hunting Queries/SigninLogs/multipleAADAdminRemovals.yaml	34
Hunting Queries/SigninLogs/riskSignInWithDeviceRegistration.yaml	57
Hunting Queries/SigninLogs/signinBurstFromMultipleLocations.yaml	70
Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml	4
Hunting Queries/Syslog/Base64_Download_Activity.yaml	4
Hunting Queries/Syslog/Container_Miner_Activity.yaml	4
Hunting Queries/Syslog/CryptoCurrencyMiners.yaml	4
Hunting Queries/Syslog/CryptoThreatActivity.yaml	4
Hunting Queries/Syslog/Firewall_Disable_Activity.yaml	4
Hunting Queries/Syslog/Linux_Toolkit_Detected.yaml	4
Hunting Queries/Syslog/Process_Termination_Activity.yaml	4
Hunting Queries/Syslog/RareProcess_ForLxHost.yaml	4
Hunting Queries/Syslog/SCXExecuteRunAsProviders.yaml	4
Hunting Queries/Syslog/SchedTaskAggregation.yaml	4
Hunting Queries/Syslog/SchedTaskEditViaCrontab.yaml	4
Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml	4
Hunting Queries/Syslog/disabled_account_squid_usage.yaml	54
Hunting Queries/Syslog/squid_abused_tlds.yaml	4
Hunting Queries/Syslog/squid_malformed_requests.yaml	4
Hunting Queries/Syslog/squid_volume_anomalies.yaml	4
Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml	4
Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml	4
Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml	4
Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml	4
Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml	4
Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml	38
Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml	30
Hunting Queries/W3CIISLog/ExchangeServerSuspiciousURIsVisited.yaml	44
Hunting Queries/W3CIISLog/PotentialWebshell.yaml	5
Hunting Queries/W3CIISLog/Potential_IIS_BF.yaml	83
Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml	94
Hunting Queries/W3CIISLog/RareClientFileAccess.yaml	52
Hunting Queries/W3CIISLog/RareUserAgentStrings.yaml	43
Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml	26
Hunting Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml	31
Hunting Queries/W3CIISLog/WebShellActivity.yaml	4
Hunting Queries/WireData/WireDataBeacon.yaml	54
Hunting Queries/ZoomLogs/HighCPURoom.yaml	35
Hunting Queries/ZoomLogs/MultipleRegistrationDenies.yaml	46
Hunting Queries/ZoomLogs/NewDomainAccess.yaml	31
Hunting Queries/ZoomLogs/NewTZ.yaml	36