Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

Hybrid Attack Solution: Packaging Fix for Missing Workbook Content ID and Version

Corrects missing content ID and version fields in the Hybrid Attack — Cloud & Identity solution packaging template to resolve a validation failure preventing Content Hub deployment. Read More →

New Workbook: Hybrid Attack Kill-Chain Hunting Across Cloud and On-Prem Identity

A new behavior-led hunting workbook registers in Microsoft Sentinel covering end-to-end hybrid identity attack scenarios across 7 MITRE ATT&CK phases, correlating signals from Entra ID, Azure, on-prem AD, and Defender XDR. Read More →

Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

Three email-focused Hunting Queries had a broken connector reference (OfficeATP instead of MicrosoftThreatProtection), suppressing results for orgs using the Defender XDR connector; three new queries covering RMM-via-Teams, alert correlation with Teams messages, and phish-reporter identity are also added. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

Premium MDTI Connector Removed from Threat Intelligence Solution During MDTI Convergence

Premium Microsoft Defender Threat Intelligence connector no longer available in Threat Intelligence (NEW) solution v3.0.19 as part of MDTI convergence effort. Read More →

Azure SQL Database Detection Rules: Enhanced MITRE Coverage and Alert Context

Quality improvements to 10 Azure SQL analytic rules add missing MITRE techniques, alert customization, and standardized query outputs. Read More →

Agent 365 Solution: Content Hub Update Detection Restored After Package ID Mismatch

Restores Agent 365 v3.1.1 Content Hub update detection by fixing solution ID mismatch that prevented upgrade notifications. Read More →

Microsoft Agent Identities Connector: New Entra Non-Human Identity Asset Visibility (Preview)

Agent 365 solution adds new Microsoft Agent Identities connector for tracking agent blueprints and non-human identity assets across four data tables. Read More →

Azure Security Benchmark Solution: Enhanced Detection Logic and Incident Enrichment (v3.0.5)

Azure Security Benchmark solution updated to v3.0.5 with improved compliance monitoring logic, proper data connector declarations, and enhanced incident alert details. Read More →

LockBit Hunting Query: ActiveMQ Exploit IoC Detection Added

New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation. Read More →

Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion

Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations. Read More →

Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection

Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors. Read More →

BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialog

Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns. Read More →

Microsoft Entra ID OAuth Consent Query: Fixing Zero-Result Bug in High-Risk Permission Detection

Corrects broken hunting query that returned no results due to incorrect property name filter. Read More →

Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection

New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →

Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta

New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →

Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies

New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →

LSASS Credential Dumping: Resilient Behavioral Detection Pack Added

Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →

Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries

New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques. Read More →