Automatic Attack Disruption Monitoring #DefenderXDR #AutomaticAttackMonitoring

🪱Lateral Movement Analysis KQL Automatic Attack Disruption: A KQL query designed to provide statistics on the number of hosts and ports that the rogue quarantine device has connected to, supporting lateral movement investigation. detections.ai/rules/162280b5…

Blind Eagle infrastructure exclusively leverages VBS files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys read RATs as a second-stage malware. trustwave.com/en-us/resource… KQL: detections.ai/rules/75867a1f…

SlimKQL Community Group Hi all, I have migrated all my 338 KQLs from the GitHub Repo to Detections.ai SlimKQL Community Group. If you would like to get updates on my latest KQL detections, please do "FOLLOW" this community group. Thank you! Steven 😄

Mail Bomb Mayhem? KQL to the Rescue. Spotted a mail bomb attack originating from 30+ sender IPs. Leveraged KQL to trace the source and identify the ISPs involved. Visibility matters.🛡️ detections.ai/rules/e6a47fe9…

A KQL behavioural detection of the new #DEVMAN ransomware. Link: detections.ai/rules/8aa75ded… #Cybersecurity #DefenderXDR

Storm 1811 SE Attack Detection 1: Email Bombing 2: Microsoft Teams Impersonation 3: Remote Access via Quick Assist 4: Deploy Black Basta ransomware detections.ai/rules/8d713b74…

🚀 detections.ai launched ~1.5 weeks ago and already hit: 👥 3K+ members 🛡️ 182+ detections (KQL, Sigma, YARA, Splunk, Elastic...) That’s ~18 detections/day! 🔥 Join the global defender community & contribute! 🔗 Use invite code: Slim2025 #DefenderUnite

🕵️‍♂️ New Detection Drop "You enumerate. I correlate. You exfil. I alert." 🔥 Just shipped a Sentinel KQL detection for NauthNRPC — a stealthy RPC-based AD recon tool. github.com/sud0Ru/NauthNR… 🔍 Built to catch the quiet ones before they get loud. detections.ai/rules/f2769974…

Hunting Exposed JDWP 🚨 New from Wiz: Attackers are actively exploiting exposed Java Debug Wire Protocol (JDWP) ports in the wild. Misconfigured dev-mode deployments are giving threat actors RCE on cloud workloads. wiz.io/blog/exposed-j… KQL Code: detections.ai/rules/d4a19448…

🚨 Scattered Spider is back—and bolder. Check Point reveals 500+ phishing domains mimicking legit portals (e.g. victimname-okta[.]com) targeting aviation, tech, and more. No sector is safe. 🕷️✈️ blog.checkpoint.com/research/expos…

🕷️The Hunt for Spidy Phishing Domains🎣 The "KQL" to sniff out the web across your MDE & MDO telemetry 🤣 blog.checkpoint.com/research/expos… KQL: detections.ai/rules/1fb925e9…

🚨 2.3M users compromised. 18 Chrome & Edge extensions—once trusted, verified, even featured—turned into malware via silent updates. No phishing. No clicks. Just stealthy version bumps. blog.koi.security/google-and-mic… KQL Code: detections.ai/rules/39c4afce…

🚨New web spun alert! 🕷️ The domain auth-sso[.]com just popped up yesterday and it’s giving off major Scattered Spider vibes. Defender stay vigilant!🫡 #Cybersecurity #ThreatIntel #Checkpoint #ScatteredSpider

🚨 New table alert for hashtag#AdvancedHunting in hashtag#DefenderXDR: GraphApiAuditEvents (Preview) Track Microsoft Entra ID API calls to Graph API—see who accessed what, when, and how. Perfect for auditing Graph API usage & spotting anomalies.🫡 learn.microsoft.com/en-us/defender…

🔥𝗪𝗼𝗿𝗹𝗱 𝗙𝗶𝗿𝘀𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗚𝗿𝗮𝗽𝗵 𝗔𝗣𝗜 𝗧𝗵𝗿𝗲𝗮𝘁 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻🫡 Monitoring Copilot Data Exfiltration via Graph API detections.ai/share/rule/uv6…