Microsoft 365 Defender

May 29, 2026

Gentlemen Ransomware Campaign: New Hunting Queries for EtherRAT/TukTuk IOCs and Web3 C2 Infrastructure

Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware. Read More →

May 29, 2026

LockBit Hunting Query: ActiveMQ Exploit IoC Detection Added

New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation. Read More →

May 27, 2026

Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection

New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →

May 27, 2026

Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta

New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →

May 26, 2026

Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies

New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →

May 26, 2026

Phishing Detection: Raw IP URLs in Delivered Email

New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems. Read More →

May 26, 2026

LSASS Credential Dumping: Resilient Behavioral Detection Pack Added

Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →

May 21, 2026

ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading

New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →

May 18, 2026

Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema

12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references. Read More →

May 6, 2026

M365 Defender ASIM Parser: TargetUserSessionId Field Restoration Fixes Data Fidelity Gap

Missing TargetUserSessionId field in Microsoft 365 Defender ASIM ProcessEvent parsers has been restored, fixing queries that previously returned null for this session correlation field. Read More →

April 22, 2026

Microsoft 365 Defender Process Parsers: Enhanced File Metadata Visibility

ASIM Process Event parsers for Microsoft 365 Defender now extract file version metadata, improving process attribution and hunt query precision. Read More →

February 27, 2026

ASIM Registry Event: Added Mandatory Fields for Microsoft 365 Defender Parser Compliance

Updated ASIM Registry Event parser for Microsoft 365 Defender to include mandatory EventSchema and EventResult fields per schema compliance requirements. Read More →

January 22, 2026

ASIM Authentication Parser: Microsoft 365 Defender Schema Compliance Enhancement

Microsoft 365 Defender authentication parser improved ASIM compliance by removing unnormalized columns and relocating process/hash metadata to AdditionalFields structure. Read More →

Auto-generated content based on the Azure-Sentinel GitHub repo.

Microsoft Sentinel is a trademark of Microsoft Corporation.