Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion
Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations. Read More →
T1562.001
Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta
New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →
Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection
Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments. Read More →
ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading
New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →
AWS Content Quality Overhaul: Standardized Detection Rules and Improved Entity Mappings
Comprehensive quality improvements to 61 AWS Analytic Rules and 35 Hunting Queries with standardized naming conventions, normalized MITRE technique mappings, and updated entity field references from legacy AccountCustomEntity to UserIdentityUserName. Read More →
Entra ID Attack Chain Detection: 5 New Hunting Queries Target Application Layer Persistence
Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns. Read More →
SOC Prime CCF: Three New Detection Rules for Platform Security Events
SOC Prime solution adds Analytic Rules detecting platform administration events including tenant deletion and successful logins from malicious IPs. Read More →
Microsoft Security Copilot: Six New Detections for AI Assistant Abuse
New analytic rules target jailbreak attempts, external access, plugin tampering, and file upload disabling - covering major AI security attack vectors. Read More →