ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading

New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →

Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis

New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios. Read More →

Agent 365 Solution Rebranded from A365 Observability (v3.0.1)

Microsoft renamed the A365 Observability solution to Agent 365 for marketing alignment with no functional changes. Read More →

Microsoft Entra ID Protection: Enhanced Detection Logic Filters Out Admin Risk Events

Updated CorrelateIPC_Unfamiliar-Atypical rule adds filtering to exclude admin-triggered atypical travel alerts, improving detection precision. Read More →

Microsoft Entra ID: Service Principal Credential Manipulation by Rare Actors

Identifies service principal credential additions by actors not observed performing these operations in the previous 90 days, targeting persistence techniques. Read More →

Microsoft Entra ID: Hunting Query for Password Spraying Detection via IP Failure Bursts

Correlates failed sign-ins across multiple identities followed by successful authentication from the same IP within 15 minutes, targeting password spraying patterns. Read More →

Microsoft Entra ID: New Hunting Query Detects Post-Compromise Token Abuse via ASN Mismatches

Surfaces rapid ASN changes between interactive and non-interactive sign-ins within 10 minutes, indicating potential post-compromise token misuse. Read More →

Azure Firewall Detection Quality Overhaul: Enhanced Alert Context and Reduced Query Costs

Comprehensive quality improvements to 11 Azure Firewall detections and 5 hunting queries add entity mappings, custom details, and query optimizations to reduce false positives and improve incident context. Read More →

Teams Social Engineering Detection: New Hunting Queries for RMM-Based Attacks

Two new hunting queries detect Teams phishing campaigns that lure victims into launching remote access tools, addressing the Storm-1811 / Black Basta cross-tenant attack pattern. Read More →

Azure DevOps Auditing: Fixing Broken Connector After Parameter Mismatch

Critical configuration fix resolves parameter name mismatch that prevented Azure DevOps audit log ingestion entirely. Read More →

Entra ID Brute Force Detection: Renamed for Broader Windows Device Coverage

Analytic rule renamed from Cloud PC-specific to cover all Entra-authenticated Windows devices, clarifying detection scope without logic changes. Read More →

ASIM Process Event Parsers: Parameter Standardization Fixes Filtering Logic Inconsistencies

ASIM Process Event parser parameter names corrected to match documentation, fixing filtering logic discrepancies that could affect query performance and parser interoperability. Read More →

Global Secure Access: Threat Intelligence Detection Restored After URL Regex Failure

Fixed broken URL threat intelligence detection and expanded workbook coverage for new Entra traffic type. Read More →

Microsoft Entra ID Conditional Access Bypass Detection: False Positive Reduction via Benign Status Code Watchlist

New watchlist filters out 7 known-benign status codes from Conditional Access bypass detection to reduce false positives from legitimate MFA prompts and session expiration events. Read More →

Azure Security Benchmark Workbook: Parameter Filtering Logic Fixed

KQL queries in the Azure Security Benchmark workbook now properly filter by selected compliance domains. Read More →

Microsoft Entra ID: Account Creation/Deletion Detection Enhanced Against Timing Evasion

Critical improvements to AccountCreatedandDeletedinShortTimeframe rule extend detection window to 7 days and use immutable UserID correlation to prevent timing-based evasion techniques. Read More →

Azure Security Benchmark: Updated Labels to Microsoft Cloud Security Benchmark

Replaced “Azure Security Benchmark” references with “Microsoft cloud security benchmark” across workbook labels and KQL queries. Read More →

ASIM AlertEvent Parser: Microsoft Defender XDR Missing AlertOriginalStatus Field Restored

Critical data fidelity fix restores missing AlertOriginalStatus field in Microsoft Defender XDR ASIM AlertEvent parser, resolving alert status visibility gap. Read More →

Microsoft Security Copilot Solution Released to General Availability

Microsoft Security Copilot solution v3.0.2 transitions from preview to GA with connector availability status updated. Read More →

Microsoft A365 Observability Connector: Explicit SecurityAdmin Requirement Removed

Microsoft removed the explicit SecurityAdmin requirement from the A365 Observability connector, but GlobalAdmin — the highest privilege level in Azure AD — is still required. This is not a reduction in required privilege. Read More →