Clicking on the name of the query will bring you to the file for it in this git repo.
Or try them out right away in your M365 Security tenant:
Click on the '🔎' hotlink to plug the query right into your Advanced Hunting Query page
- Performs an artifact comparison between known good hosts and known bad hosts
- The following datasets are returned: Alerts, Connected Networks, File Creations, Image Loads, Logons, Network Communications, Process Creations, Powershell Commands, Registry Events, Raw IP Connection Events
- 🔎 does not have a hotlink because this query is too long for Microsoft to encode in a URL
- Fill given list with known compromised hosts
- Set search window to estimated compromise timeline
- Hunt for suspicious SMB connections originating to/from compromised hosts
- Search for various IOCs (IPs, domains, filenames, hashes)
- Searches processes, file events, network connections, and email attachments