Skip to content

Latest commit

 

History

History

Anomalies

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

AnomalousBatExecTimeline.kusto

AnomalousBatExecTimeline.kusto

 
 

AnomalousEmailAttachment.kusto

AnomalousEmailAttachment.kusto

 
 

AnomalousLogonTimeline.kusto

AnomalousLogonTimeline.kusto

 
 

README.md

README.md

 
 

TopRemoteLogons.kusto

TopRemoteLogons.kusto

 
 

README.md

Anomaly Hunting Queries

Clicking on the name of the query will bring you to the file for it in this git repo.

Or try them out right away in your M365 Security tenant:

Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page

🔎 Bat Execution Anomalies

  • Gets the top 5 devices that have had an anomalous spike in execution of .bat scripts in the past week

🔎 Email Attachment Anomalies

  • Gets the top 5 file types with the most anomalous spike in the past week

🔎 Logon Count Anomalies

  • Gets the top 5 users whose logons had the most anomalous spike and projects their daily logins onto a timechart for visual aid
  • Service accounts showing up in this query are especially suspicious

🔎 Top Remote Logons

  • Ranks the accounts that have the most remote logons
  • Shows which devices each account has logged into
  • Shows whether or not the account is a local admin