Jan 21, 2025 AzureActivity - VM: Password Reset through EnableAccess VM Extension

This query will detect a VMs admin password is reset through the enablevmaccess extension.

T1651

Jan 20, 2025 MDE - MDE Exclusion Added or Modified

This query will detect an MDE exclusion is added or modified.

T1562.001

Jan 19, 2025 Azure Key Vault - User Adds Themselves to a Vault Access Policy

This query will detect when a user adds themselves to a vault access policy, potentially exploiting a known privesc attack path.

T1555.006 T1556

Jan 18, 2025 Azure NSG - Changes to Inbound Rules Allowing Management Ports

This query will changes to inbound NSG security group rules allowing access to managment ports.

T562.007

Jan 17, 2025 AWS S3 - Changes to Block Public Access Settings

This query detects changes to S3 Block Public Access settings.

T1562.007

Jan 16, 2025 AWS VPC - Changes to Inbound Rules Allowing Management Ports

This query will changes to inbound VPC security group rules allowing access to managment ports.

T1078.004 T1110

Jan 15, 2025 AWS CloudTrail - Failed Login from Root User

This query will detect failed console logins from the Root user.

T1078.004 T1110

Jan 14, 2025 AWS CloudTrail - Console Login Without MFA

This query will console login events without MFA.

T1078.004

Jan 13, 2025 AWS CloudTrail - CloudTrail Log Stopped

This query will detect when an AWS CloudTrail log is stopped.

T1556 T1098.001

Jan 12, 2025 AWS CloudTrail - New Access Key Created for Root User

This query will detect when a new access key is created for a root user.

T1556 T1098.001

Jan 11, 2025 AWS CloudTrail - CVE-2024-50603 Potential Exploitation Activity

This query hunts for potential exploitation activity of CVE-2024-50603 in AWS CloudTrails logs.

T1203

Jan 10, 2025 Azure Key Vault - Potential Privilege Escalation Activity

This query identifies potential privilege escalation activity, where a Key Vault is changed from RBAC to vault access policy, and a caller then grants themselves access to the keys, secrets, or certificates.

T1555.006

Jan 9, 2025 Azure Key Vault - Large Number of Keys, Secrets, or Certs Accessed

This query detects when a large number of Key Vault items are accessed in a short period of time.

T1555.006

Jan 8, 2025 Azure Key Vault - Large Number of Keys, Secrets, Certs Deleted

This query detects when a large number of Key Vault items are deleted in a short period of time.

T1555.006 T1485

Jan 7, 2025 Azure Key Vault - Vault Access Configuration Modified

This query detects new a Key Vault is changed from RBAC to vault access policy

T1555.006 T1556

Jan 6, 2025 2025-01-06: Azure Key Vault - New IP Address Added to Key Vault Firewall

This query detects new or unknown IPs added to Key Vault firewall

T1562.007 T1555.006

Jan 5, 2025 2025-01-05: Azure Storage Account - Mass Download

This query detects when a large volume of blob files are downloaded over a short period of time

T1530

Jan 4, 2025 2025-01-04: Azure Activity - New IP Address Added to Storage Account Firewall

This query detects when a new IP address has been added to a storage account firewall

T1562.007 T1530

Jan 3, 2025 2025-01-03: Azure Activity - Public Access Enabled on Storage Account

This query looks for a request to enable public access on a storage account

T1562.007 T1530

Jan 2, 2025 2025-01-02: Azure Active Directory - Credential Added to App Registration

This query looks for new secrets or certificates added to an Azure AD App Registration

T1098.001

Jan 1, 2025 2025-01-01: Azure Active Directory - Conditional Access Policy Modified

This query looks for changes to Conditional Access Policies

T1556.009

Dec 31, 2024 2024-12-31: Hello KQL

The Kustonomicon