http://sentinelchangelog.net/tags/hunting-queries/Recent content in Hunting Queries on sentinelchangelog.netHugo -- 0.157.0enMon, 01 Jun 2026 04:39:34 +0000http://sentinelchangelog.net/posts/2026-06-01-pr-14245/Mon, 01 Jun 2026 04:39:34 +0000http://sentinelchangelog.net/posts/2026-06-01-pr-14245/Slack Audit analytic rules, hunting queries, and workbook upgraded with improved KQL logic, custom alert details, and enhanced entity mappings for stronger workspace monitoring.http://sentinelchangelog.net/posts/2026-05-29-pr-14299/Fri, 29 May 2026 10:56:48 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14299/Three new hunting queries target Midnight Blizzard-style persistence patterns — service principal credential staging, privileged role assignments to new accounts, and Temporary Access Pass abuse.http://sentinelchangelog.net/posts/2026-05-29-pr-14338/Fri, 29 May 2026 08:24:12 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14338/Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware.http://sentinelchangelog.net/posts/2026-05-29-pr-14350/Fri, 29 May 2026 05:32:22 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14350/New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation.http://sentinelchangelog.net/posts/2026-05-28-pr-14307/Thu, 28 May 2026 11:14:14 +0000http://sentinelchangelog.net/posts/2026-05-28-pr-14307/Added three hunting queries targeting identity boundary expansion techniques in Entra ID that escalate privileges without creating new accounts.http://sentinelchangelog.net/posts/2026-05-27-pr-14339/Wed, 27 May 2026 13:42:33 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14339/Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations.http://sentinelchangelog.net/posts/2026-05-27-pr-14335/Wed, 27 May 2026 13:41:06 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14335/Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors.http://sentinelchangelog.net/posts/2026-05-27-pr-14336/Wed, 27 May 2026 13:38:59 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14336/Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns.http://sentinelchangelog.net/posts/2026-05-27-pr-14334/Wed, 27 May 2026 13:38:30 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14334/Corrects broken hunting query that returned no results due to incorrect property name filter.http://sentinelchangelog.net/posts/2026-05-27-pr-14308/Wed, 27 May 2026 08:59:01 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14308/New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations.http://sentinelchangelog.net/posts/2026-05-27-pr-14337/Wed, 27 May 2026 08:36:31 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14337/New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams.http://sentinelchangelog.net/posts/2026-05-26-pr-14333/Tue, 26 May 2026 09:05:22 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14333/New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks.http://sentinelchangelog.net/posts/2026-05-26-pr-14311/Tue, 26 May 2026 08:14:04 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14311/Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs.http://sentinelchangelog.net/posts/2026-05-26-pr-14340/Tue, 26 May 2026 06:30:21 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14340/New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems.http://sentinelchangelog.net/posts/2026-05-26-pr-14240/Tue, 26 May 2026 06:12:52 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14240/Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments.http://sentinelchangelog.net/posts/2026-05-26-pr-14341/Tue, 26 May 2026 05:29:06 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14341/Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names.http://sentinelchangelog.net/posts/2026-05-21-pr-14281/Thu, 21 May 2026 12:50:47 +0000http://sentinelchangelog.net/posts/2026-05-21-pr-14281/New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques.http://sentinelchangelog.net/posts/2026-05-21-pr-14314/Thu, 21 May 2026 12:14:25 +0000http://sentinelchangelog.net/posts/2026-05-21-pr-14314/New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths.http://sentinelchangelog.net/posts/2026-05-21-pr-14257/Thu, 21 May 2026 04:14:42 +0000http://sentinelchangelog.net/posts/2026-05-21-pr-14257/New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios.http://sentinelchangelog.net/posts/2026-05-19-pr-14262/Tue, 19 May 2026 10:09:11 +0000http://sentinelchangelog.net/posts/2026-05-19-pr-14262/Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection.http://sentinelchangelog.net/posts/2026-05-18-pr-14101/Mon, 18 May 2026 07:30:57 +0000http://sentinelchangelog.net/posts/2026-05-18-pr-14101/Comprehensive quality improvements to 61 AWS Analytic Rules and 35 Hunting Queries with standardized naming conventions, normalized MITRE technique mappings, and updated entity field references from legacy AccountCustomEntity to UserIdentityUserName.http://sentinelchangelog.net/posts/2026-05-18-pr-14186/Mon, 18 May 2026 05:36:36 +0000http://sentinelchangelog.net/posts/2026-05-18-pr-14186/12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references.http://sentinelchangelog.net/posts/2026-05-13-pr-14239/Wed, 13 May 2026 10:29:56 +0000http://sentinelchangelog.net/posts/2026-05-13-pr-14239/Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns.http://sentinelchangelog.net/posts/2026-05-07-pr-14213/Thu, 07 May 2026 10:51:04 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14213/Identifies service principal credential additions by actors not observed performing these operations in the previous 90 days, targeting persistence techniques.http://sentinelchangelog.net/posts/2026-05-07-pr-14208/Thu, 07 May 2026 10:50:43 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14208/Correlates failed sign-ins across multiple identities followed by successful authentication from the same IP within 15 minutes, targeting password spraying patterns.http://sentinelchangelog.net/posts/2026-05-07-pr-14207/Thu, 07 May 2026 10:50:16 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14207/Surfaces rapid ASN changes between interactive and non-interactive sign-ins within 10 minutes, indicating potential post-compromise token misuse.http://sentinelchangelog.net/posts/2026-05-06-pr-13820/Wed, 06 May 2026 09:37:20 +0000http://sentinelchangelog.net/posts/2026-05-06-pr-13820/Comprehensive quality improvements to 11 Azure Firewall detections and 5 hunting queries add entity mappings, custom details, and query optimizations to reduce false positives and improve incident context.http://sentinelchangelog.net/posts/2026-05-05-pr-14107/Tue, 05 May 2026 09:58:40 +0000http://sentinelchangelog.net/posts/2026-05-05-pr-14107/Updated 9 analytic rules and 10 hunting queries with strengthened entity mapping, alert details, and MITRE coverage for OT/IoT network monitoring.http://sentinelchangelog.net/posts/2026-05-04-pr-14117/Mon, 04 May 2026 12:53:39 +0000http://sentinelchangelog.net/posts/2026-05-04-pr-14117/Two new hunting queries detect Teams phishing campaigns that lure victims into launching remote access tools, addressing the Storm-1811 / Black Basta cross-tenant attack pattern.http://sentinelchangelog.net/posts/2026-04-24-pr-14045/Fri, 24 Apr 2026 05:26:39 +0000http://sentinelchangelog.net/posts/2026-04-24-pr-14045/Complete Valimail Enforce monitoring solution delivers real-time detection of email authentication policy weakening and suspicious admin activity affecting domain security posture.http://sentinelchangelog.net/posts/2026-04-23-pr-13858/Thu, 23 Apr 2026 05:24:37 +0000http://sentinelchangelog.net/posts/2026-04-23-pr-13858/SOCRadar XTI Platform solution now available in Content Hub with automated alarm import, incident sync, and comprehensive threat intelligence monitoring capabilities.http://sentinelchangelog.net/posts/2026-03-27-pr-13735/Fri, 27 Mar 2026 05:01:42 +0000http://sentinelchangelog.net/posts/2026-03-27-pr-13735/New analytic rules target jailbreak attempts, external access, plugin tampering, and file upload disabling - covering major AI security attack vectors.http://sentinelchangelog.net/posts/2026-03-06-pr-13740/Fri, 06 Mar 2026 05:08:34 +0000http://sentinelchangelog.net/posts/2026-03-06-pr-13740/Fixed IdentityInfo field reference from AccountUPN to AccountUpn to resolve KQL validation failure and restore query functionality.http://sentinelchangelog.net/posts/2026-02-26-pr-13705/Thu, 26 Feb 2026 04:54:57 +0000http://sentinelchangelog.net/posts/2026-02-26-pr-13705/Minor documentation improvement clarifying protected settings visibility in Custom Script Extension hunting query.http://sentinelchangelog.net/posts/2026-02-17-pr-13596/Tue, 17 Feb 2026 06:43:02 +0000http://sentinelchangelog.net/posts/2026-02-17-pr-13596/Microsoft Defender XDR solution v3.0.14 adds hunting query targeting Punycode character abuse in lookalike domain attacks.http://sentinelchangelog.net/posts/2026-02-03-pr-13535/Tue, 03 Feb 2026 09:48:09 +0000http://sentinelchangelog.net/posts/2026-02-03-pr-13535/Advanced hunting query detects punycode domains using Cyrillic, Greek, and fullwidth ASCII characters to visually impersonate legitimate domains in email and Teams.http://sentinelchangelog.net/posts/2026-01-22-pr-13485/Thu, 22 Jan 2026 11:09:59 +0000http://sentinelchangelog.net/posts/2026-01-22-pr-13485/Updated SUNSPOT malware detection rule with corrected reference link formatting and MITRE technique mapping fixes across multiple solutions.http://sentinelchangelog.net/posts/2026-01-22-pr-12801/Thu, 22 Jan 2026 09:02:45 +0000http://sentinelchangelog.net/posts/2026-01-22-pr-12801/Complete JoeSandbox solution deployment enabling automated malware analysis, threat intelligence feed ingestion, and incident enrichment playbooks for Microsoft Sentinel.http://sentinelchangelog.net/posts/2026-01-22-pr-13205/Thu, 22 Jan 2026 06:09:17 +0000http://sentinelchangelog.net/posts/2026-01-22-pr-13205/Corrected malformed version numbers in Microsoft Teams threat hunting queries from invalid “l.0.0” to proper “1.0.0” format.http://sentinelchangelog.net/posts/2026-01-21-pr-13480/Wed, 21 Jan 2026 13:39:25 +0000http://sentinelchangelog.net/posts/2026-01-21-pr-13480/Updated outdated links and corrected MITRE ATT&CK technique mapping in detection rules across Microsoft Business Applications, Microsoft Defender XDR, and Windows Security Events solutions.http://sentinelchangelog.net/posts/2025-12-24-pr-13346/Wed, 24 Dec 2025 11:51:45 +0000http://sentinelchangelog.net/posts/2025-12-24-pr-13346/Critical schema update replaces deprecated requiredTechniques field with correct relevantTechniques field in analytic rules.http://sentinelchangelog.net/posts/2025-12-12-pr-12927/Fri, 12 Dec 2025 09:49:09 +0000http://sentinelchangelog.net/posts/2025-12-12-pr-12927/Field name inconsistencies in Fortigate ASIM parsers corrected to ensure proper schema compliance and data normalization.http://sentinelchangelog.net/posts/2025-12-08-pr-13138/Mon, 08 Dec 2025 06:57:34 +0000http://sentinelchangelog.net/posts/2025-12-08-pr-13138/P0-labeled update improves URL entity mapping in Cloudflare detection rules alongside extensive repository maintenance and validation improvements.http://sentinelchangelog.net/posts/2025-12-04-pr-13198/Thu, 04 Dec 2025 05:49:38 +0000http://sentinelchangelog.net/posts/2025-12-04-pr-13198/Updated threat hunting rules add MITRE ATT&CK mappings and fix parser function calls for improved threat detection coverage.http://sentinelchangelog.net/posts/2025-11-24-pr-13182/Mon, 24 Nov 2025 11:31:39 +0000http://sentinelchangelog.net/posts/2025-11-24-pr-13182/UEBA Essentials v4.1.0 adds five targeted hunting queries for high-score anomaly triage, trend analysis, template distribution, user-centric investigation, and malicious source IP identification.http://sentinelchangelog.net/posts/2025-11-21-pr-13167/Fri, 21 Nov 2025 05:16:08 +0000http://sentinelchangelog.net/posts/2025-11-21-pr-13167/Extended Teams protection hunting coverage with queries for partner impersonation, admin submissions, and external sender analysis.http://sentinelchangelog.net/posts/2025-11-20-pr-13158/Thu, 20 Nov 2025 08:54:08 +0000http://sentinelchangelog.net/posts/2025-11-20-pr-13158/Open Systems connector updated aiohttp dependency addressing potential security vulnerabilities, bundled with extensive solution packaging updates.http://sentinelchangelog.net/posts/2025-11-19-pr-13156/Wed, 19 Nov 2025 08:50:58 +0000http://sentinelchangelog.net/posts/2025-11-19-pr-13156/New hunting queries added to detect malicious URL clicks, ZAP events, and user submissions in Microsoft Teams.http://sentinelchangelog.net/posts/2025-11-14-pr-13116/Fri, 14 Nov 2025 08:22:41 +0000http://sentinelchangelog.net/posts/2025-11-14-pr-13116/New Solution delivers 5 Analytic Rules and 5 Hunting Queries to detect GCP security misconfigurations including unrestricted API keys, disabled security features, and risky IAM configurations.http://sentinelchangelog.net/posts/2025-11-12-pr-13065/Wed, 12 Nov 2025 11:17:58 +0000http://sentinelchangelog.net/posts/2025-11-12-pr-13065/Major update adds comprehensive multi-cloud anomaly detection capabilities across AWS, GCP, and Okta platforms with 6 new hunting queries.