🛡 300 KQLs on !!! 🎉🎉🎉. 🏆 A major milestone reaching the 300 series and a double-digit % contributor of this repository.🧙‍♂️. #Cybersecurity #SlimKQL #KQLWizard

🕵️‍♂️ New Detection Drop "You enumerate. I correlate. You exfil. I alert." 🔥. Just shipped a Sentinel KQL detection for NauthNRPC — a stealthy RPC-based AD recon tool. 🔍 Built to catch the quiet ones before they get loud.

🚀 launched ~1.5 weeks ago and already hit: 👥 3K+ members 🛡️ 182+ detections (KQL, Sigma, YARA, Splunk, Elastic. ). That’s ~18 detections/day! 🔥.Join the global defender community & contribute! . 🔗 Use invite code: Slim2025. #DefenderUnite

Storm 1811 SE Attack Detection. 1: Email Bombing.2: Microsoft Teams Impersonation.3: Remote Access via Quick Assist.4: Deploy Black Basta ransomware .

A KQL behavioural detection of the new #DEVMAN ransomware. Link: #Cybersecurity #DefenderXDR.

Mail Bomb Mayhem? KQL to the Rescue. Spotted a mail bomb attack originating from 30+ sender IPs. Leveraged KQL to trace the source and identify the ISPs involved. Visibility matters.🛡️.

SlimKQL Community Group. Hi all, I have migrated all my 338 KQLs from the GitHub Repo to SlimKQL Community Group. If you would like to get updates on my latest KQL detections, please do "FOLLOW" this community group. Thank you!. Steven 😄

Blind Eagle infrastructure exclusively leverages VBS files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys read RATs as a second-stage malware. KQL:.

🪱Lateral Movement Analysis KQL. Automatic Attack Disruption: A KQL query designed to provide statistics on the number of hosts and ports that the rogue quarantine device has connected to, supporting lateral movement investigation.

Automatic Attack Disruption Monitoring. #DefenderXDR #AutomaticAttackMonitoring

Unit42 - 500+ Phishing Domains Impersonating MS Login Pages. Adversary are leveraging over 500+ newly registered .shop domains, likely created via DGA to conduct phishing campaigns impersonating MS login pages. All-in-one scan:.

📬 Detecting EXO Graph Enumeration Spot abnormal M365 reconnaissance via Exchange Online using ActorInfoString + ML-powered CloudAppEvents. Ideal for catching attackers probing with compromised accounts.

😇✌️ - Successfully renewed!. PS: I do observed there are more questions on Security Copilot with Microsoft Sentinel . #Cybersecurity #MicrosoftCertification #SecurityOperations

When combined with machine learning analytics from CloudAppEvents, this enriched context helps surface uncommon or anomalous user activity, significantly boosting the accuracy of threat detection in Exchange Online.

Starting June, the introduction of ActorInfoString brings added transparency by capturing the True UserAgent—providing deeper insight into the origin of actions within your Exchange Online environment.

Detect anomalous external OAuthApp activity using 🆕ActorInfoString 🔥. KQL Code:.

𝗦𝗰𝗮𝘁𝘁𝗲𝗿𝗲𝗱 𝗦𝗽𝗶𝗱𝗲𝗿 🕷️. According to Unit 42, the threat actor is now targeting aviation industry. Using the Unit 42 IOCs, I have crafted a DefenderXDR KQL to scan the MDE telemetry for the past 30 days. KQL code:.

Researchers at Securonix identified a sophisticated malware campaign named 𝗦𝗘𝗥𝗣𝗘𝗡𝗧𝗜𝗡𝗘#𝗖𝗟𝗢𝗨𝗗, which exploits 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗧𝘂𝗻𝗻𝗲𝗹 infrastructure to deliver Python-based malware to Windows systems.

🔍 is a growing hub for community-driven detection rules—KQL, Sigma, YARA, Splunk & more. I've migrated across my 300+ KQL rules @SlimKQL and will continue sharing new ones. Catch them all here 👉 @KQLWizard 😉🔥  . Invitation Code: Slim2025