http://sentinelchangelog.net/tags/microsoft-365-defender/Recent content in Microsoft 365 Defender on sentinelchangelog.netHugo -- 0.157.0enFri, 29 May 2026 08:24:12 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14338/Fri, 29 May 2026 08:24:12 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14338/Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware.http://sentinelchangelog.net/posts/2026-05-29-pr-14350/Fri, 29 May 2026 05:32:22 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14350/New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation.http://sentinelchangelog.net/posts/2026-05-27-pr-14308/Wed, 27 May 2026 08:59:01 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14308/New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations.http://sentinelchangelog.net/posts/2026-05-27-pr-14337/Wed, 27 May 2026 08:36:31 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14337/New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams.http://sentinelchangelog.net/posts/2026-05-26-pr-14333/Tue, 26 May 2026 09:05:22 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14333/New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks.http://sentinelchangelog.net/posts/2026-05-26-pr-14340/Tue, 26 May 2026 06:30:21 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14340/New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems.http://sentinelchangelog.net/posts/2026-05-26-pr-14341/Tue, 26 May 2026 05:29:06 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14341/Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names.http://sentinelchangelog.net/posts/2026-05-21-pr-14314/Thu, 21 May 2026 12:14:25 +0000http://sentinelchangelog.net/posts/2026-05-21-pr-14314/New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths.http://sentinelchangelog.net/posts/2026-05-18-pr-14186/Mon, 18 May 2026 05:36:36 +0000http://sentinelchangelog.net/posts/2026-05-18-pr-14186/12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references.http://sentinelchangelog.net/posts/2026-05-06-pr-14183/Wed, 06 May 2026 17:39:52 +0000http://sentinelchangelog.net/posts/2026-05-06-pr-14183/Missing TargetUserSessionId field in Microsoft 365 Defender ASIM ProcessEvent parsers has been restored, fixing queries that previously returned null for this session correlation field.http://sentinelchangelog.net/posts/2026-04-22-pr-13785/Wed, 22 Apr 2026 16:54:39 +0000http://sentinelchangelog.net/posts/2026-04-22-pr-13785/ASIM Process Event parsers for Microsoft 365 Defender now extract file version metadata, improving process attribution and hunt query precision.http://sentinelchangelog.net/posts/2026-02-27-pr-13712/Fri, 27 Feb 2026 18:20:58 +0000http://sentinelchangelog.net/posts/2026-02-27-pr-13712/Updated ASIM Registry Event parser for Microsoft 365 Defender to include mandatory EventSchema and EventResult fields per schema compliance requirements.http://sentinelchangelog.net/posts/2026-01-22-pr-13441/Thu, 22 Jan 2026 21:03:56 +0000http://sentinelchangelog.net/posts/2026-01-22-pr-13441/Microsoft 365 Defender authentication parser improved ASIM compliance by removing unnormalized columns and relocating process/hash metadata to AdditionalFields structure.