List user accounts with repeated logon failures to identify possible targets of brute force attacks or invalid credential usage attempts.
[Read more…] about KQL query: Identify brute force attacks or invalid credential usage attemptsArchives for April 2024
KQL Query: Logon Failure Reason analysis
Investigate which Microsoft applications are experiencing the most logon failures and the reasons behind those failures.
[Read more…] about KQL Query: Logon Failure Reason analysisKQL query: Get Active Directory failed logons
List failed logons logged in Active Directory with additional attributes for investigation and troubleshooting. Comparable to Windows security log event ID 4625.
[Read more…] about KQL query: Get Active Directory failed logonsKQL query: Get Active Directory sensitive group membership changes
List sensitive group membership changes, including who was added or removed to what group, and who made the change.
[Read more…] about KQL query: Get Active Directory sensitive group membership changesKQL query: Get Active Directory group membership changes
Get users and the groups they were added or removed from, including who made the change.
[Read more…] about KQL query: Get Active Directory group membership changesKQL query: List devices vulnerable to CISA known exploited vulnerabilities
Identify devices in your Defender tenant that are vulnerable to known exploited vulnerabilities maintained by CISA.
[Read more…] about KQL query: List devices vulnerable to CISA known exploited vulnerabilities