New Check Point Harmony Email and Collaboration Solution Adds Email Threat Detection and SOAR Response

A new Microsoft Sentinel Solution for Check Point Harmony Email and Collaboration brings a CCF/DCR-based data connector ingesting into CheckpointHEC_CL, one phishing Analytic Rule, five Hunting Queries covering phishing/DLP/spam, and a Quarantine Playbook for automated response. Read More →

Okta SSO Detection Suite: Richer Alert Context, Configurable Thresholds, and Corrected Entity Mappings Across 9 Rules and 10 Hunting Queries

Nine Analytic Rules and ten Hunting Queries for Okta SSO have been overhauled with configurable thresholds, allowlist variables, improved JSON parsing, and corrected entity mappings, closing fidelity gaps that degraded Sentinel entity behaviour and alert context. Read More →

New Hunting Query: BadUSB HID Injection via certutil LOLBIN Detected Through explorer.exe Parent Signal

A new hunting query surfaces BadUSB payloads that abuse certutil.exe or cmd.exe via the WIN+R Run dialog by keying on explorer.exe as the initiating process – a signal absent from existing generic certutil LOLBin detections. Read More →

AI Agents Hunting Queries Migrated to Unified AgentsInfo Table -- Connector-Split Queries Retired

Seven consolidated AI agent hunting queries now target the unified Defender XDR AgentsInfo table, replacing 26 connector-specific queries split across the A365 and Copilot Studio connectors; existing deployments still running the old AIAgentsInfo-based queries have had no effective hunting coverage since the table split was introduced. Read More →

Abnormal Security Solution: Full Detection Coverage Added for CCF Push Connector (v3.1.0)

The Abnormal Security solution now ships four scheduled Analytic Rules, four Hunting Queries, four parsers, a workbook, and a Playbook — closing a complete detection gap that existed since the CCF Push connector was introduced in v3.0.0 with no bundled detections. Read More →

New Solution: Hybrid Attack Chain Hunting Across On-Premises, Cloud, and Kubernetes

A new Microsoft Sentinel Solution ships 55+ multi-stage hunting queries designed to detect attacker pivots across on-premises identity, Azure control plane, Kubernetes, and Microsoft Entra ID – covering full kill chains that individual, single-source detections routinely miss. Read More →

Cybersixgill Actionable Alerts: CCF Connector Added with Unified Parser Bridging Legacy and New Tables

The Cybersixgill Actionable Alerts solution adds a new CCF-based data connector alongside a unified parser that abstracts both the legacy Azure Function table (CyberSixgill_Alerts_CL) and the new CCF table (CyberSixgillAlertsV2_CL), ensuring hunting queries and workbooks continue working regardless of which connector is deployed. Read More →

Trend Micro Cloud App Security: CCF Connector Added with Dual-Schema Parser for Legacy and Modern Ingestion Paths

A new CCF-based Data Connector (TrendMicroCASConnector) is added alongside the existing Azure Functions connector, with the TrendMicroCAS parser updated to union both ingestion paths so all existing detections, hunting queries, and workbooks continue to work without modification. Read More →

Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

Three email-focused Hunting Queries had a broken connector reference (OfficeATP instead of MicrosoftThreatProtection), suppressing results for orgs using the Defender XDR connector; three new queries covering RMM-via-Teams, alert correlation with Teams messages, and phish-reporter identity are also added. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

UniFi Site Manager: New CCF Solution Adds Network Infrastructure Monitoring and Attack Surface Coverage

Community solution deploys 21 detections for UniFi network security posture, ISP performance degradation, and infrastructure defense evasion tactics. Read More →

Utimaco ESKM Integration: Enterprise Key Management Monitoring Arrives in Sentinel

New solution enables Microsoft Sentinel monitoring of Utimaco Enterprise Secure Key Manager KMIP operations and authentication events. Read More →

Azure SQL Database Detection Rules: Enhanced MITRE Coverage and Alert Context

Quality improvements to 10 Azure SQL analytic rules add missing MITRE techniques, alert customization, and standardized query outputs. Read More →

StealthTalk: New Enterprise Authentication Monitoring Solution with MITRE-Mapped Detection Portfolio

Complete StealthTalk Enterprise solution delivers four analytic rules targeting credential attacks (T1078, T1110, T1098) plus ASIM Authentication parsers and Teams integration. Read More →

CyberArk EPM: Migration to DCR and OAuth Authentication Replaces Deprecated Log Analytics API

CyberArk EPM connector updated to use DCR ingestion and OAuth authentication, addressing deprecation of Log Analytics API and improving security. Read More →

Slack Audit Solution: Enhanced Detection Logic and Alert Enrichment

Slack Audit analytic rules, hunting queries, and workbook upgraded with improved KQL logic, custom alert details, and enhanced entity mappings for stronger workspace monitoring. Read More →

Entra ID Post-Credential Activity Detection: Service Principal Staging and Privileged Role Escalation

Three new hunting queries target Midnight Blizzard-style persistence patterns — service principal credential staging, privileged role assignments to new accounts, and Temporary Access Pass abuse. Read More →

Gentlemen Ransomware Campaign: New Hunting Queries for EtherRAT/TukTuk IOCs and Web3 C2 Infrastructure

Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware. Read More →

LockBit Hunting Query: ActiveMQ Exploit IoC Detection Added

New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation. Read More →

Entra ID Identity Boundary Expansion: Three New Hunting Queries for Stealthy Persistence

Added three hunting queries targeting identity boundary expansion techniques in Entra ID that escalate privileges without creating new accounts. Read More →