Sonrai Security CCF Connector: New Cloud Security Posture Visibility

Sonrai Security compliance tickets now integrate directly with Microsoft Sentinel through a new CCF push connector. Read More →

VMware Workspace ONE: New CCF Connector for UEM Device and Application Visibility

VMware Workspace ONE Unified Endpoint Management platform now available in Microsoft Sentinel via CCF connector for device compliance monitoring and shadow IT detection. Read More →

Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion

Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations. Read More →

Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection

Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors. Read More →

BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialog

Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns. Read More →

Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection

New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →

Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta

New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →

Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies

New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →

Entra ID Attack Chain Correlation: Three New Hunting Queries for Sequential Compromise Patterns

Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs. Read More →

Phishing Detection: Raw IP URLs in Delivered Email

New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems. Read More →

Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection

Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments. Read More →

LSASS Credential Dumping: Resilient Behavioral Detection Pack Added

Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →

Cyren Defender Threat Intelligence: New IP and Malware URL Ingestion for Microsoft Sentinel

Content Hub solution adds Cyren threat intelligence feeds for IP reputation and malware URL indicators via automated Logic App playbook. Read More →

Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries

New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques. Read More →

ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading

New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →

Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis

New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios. Read More →

New Cyren-CrowdStrike Threat Intelligence Solution: Automated IOC Sync for Enhanced Threat Detection

Logic App playbook now available to automatically sync Cyren IP reputation and malware URL indicators to CrowdStrike Falcon for streamlined threat blocking. Read More →

Entra ID Cross-Source Hunting Pack: Post-Compromise Pattern Detection

Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection. Read More →

Illumio Insights Graph: New Network Traffic Analysis and Threat Intelligence Connector

New CCF-based connector ingests Illumio AI-powered threat discovery reports with network flow analysis, geographic context, and MITRE ATT&CK framework integration. Read More →

Fortra Agari CCF Connector: Modern Email Security Data Ingestion

Fortra Agari transitions from Azure Functions to CCF framework, restoring Brand Protection, Phishing Defense, and Phishing Response visibility with DCR-based ingestion. Read More →