Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
- Identify top folder sub-paths that currently execute programs
- Useful for building your AppLocker policy
- Enter any number or combination of the following fields:
- Hostname
- Username
- EmailAddress
- SID
- AzureAccountID
- Query will fill in the fields you don't know for each unique identity and fetch each person's Job Title
- Only needs minimum of 1 value for any 1 field
- Finds alls apps that have crashed in the last 7 days and sorts them by total number of crashes
- Includes total number of devices with crashes
- Includes list of devices for each app along with:
- number of crashes on that device
- last crash timestamp
- First query identifies the number of network connections to every TLD published by the IANA
- Second query is used to investigate individual connections to individual TLDs
- You can use this data to block entire TLDs with Windows Firewall in endpoint.microsoft.com
- Uncommon TLDs are often used in phishing attacks, malvertizing, and malicious redirects