resolved merge conflicts

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -247,5 +247,6 @@
   "WindowsFirewallAma",
   "1Password",
   "RadiflowIsid",
-  "CustomLogsAma"
+  "CustomLogsAma",
+  "SilverfortAma"
 ]

DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md

@@ -0,0 +1,40 @@
+# Function app manual deployment instructions 
+
+- Start VS Code. Choose File in the main menu and select Open Folder.
+
+- Select the top level folder from extracted files.
+
+- Choose the Azure icon in the Activity bar, if you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure
+
+- If you're already signed in, go to the next step.
+
+- Provide the following information at the prompts:
+
+	a. **Select folder**: Choose a folder from your workspace or browse to one that contains your function app.
+
+	b. **Select Subscription**: Choose the subscription to use under resources.
+	
+	![Select Subscription](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/subscription.png)
+
+	c. Right click on the functions and select **Create new Function App in Azure** (Don't choose the Advanced option)
+
+	![Create new Function App in Azure](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/CreatenewFunctionApp.png)
+
+	d. **Enter a globally unique name for the function app**: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. UmbrellaXYZ).
+	
+	![Enter a globally unique name](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/globallyuniquename.png)
+
+	e. **Select a runtime**: Choose Python 3.9.
+
+	![Select a runtime](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectaruntime.png)
+
+	f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.
+
+	![Select a location for new resources](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectalocation.png)
+
+- Deployment will begin. A notification is displayed after your function app is created.
+
+- Deploy the function in Function app: Once the function app is created click on deploy button under workspace section. Select the Subcription and the function app in which function needs to be deployed.
+![Deploy the function in Function app](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Deploythefunction.png)
+
+- Go to Azure Portal for the Function App configuration. 

Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML

@@ -5,17 +5,17 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceInfo
+  - DeviceInfo
 query: |
-//Find out of date clients
+  //Find out of date clients
-DeviceInfo
+  DeviceInfo
-| where OSPlatform contains "Windows"
+  | where OSPlatform contains "Windows"
-| summarize arg_max(Timestamp, *) by DeviceId
+  | summarize arg_max(Timestamp, *) by DeviceId
-| extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
+  | extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
-| where MajorClientVersion < 10.8500
+  | where MajorClientVersion < 10.8500
-| where OnboardingStatus == "Onboarded"
+  | where OnboardingStatus == "Onboarded"
-| project-reorder ClientVersion
+  | project-reorder ClientVersion
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML

@@ -5,15 +5,15 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-//List all the scan types and device name of those scans
+  //List all the scan types and device name of those scans
-DeviceEvents
+  DeviceEvents
-| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
+  | where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
-| extend A=parse_json(AdditionalFields)  
+  | extend A=parse_json(AdditionalFields)  
-| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
+  | project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
-| sort by Timestamp desc
+  | sort by Timestamp desc
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML

@@ -5,15 +5,15 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-DeviceEvents 
+  DeviceEvents 
-| where ActionType startswith "ASR"
+  | where ActionType startswith "ASR"
-| extend Fields=parse_json(AdditionalFields)
+  | extend Fields=parse_json(AdditionalFields)
-| extend IsAudit = tostring(Fields.IsAudit)
+  | extend IsAudit = tostring(Fields.IsAudit)
-| where IsAudit == "false"
+  | where IsAudit == "false"
-| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
+  | project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML

@@ -5,13 +5,13 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-DeviceFileEvents 
+  DeviceFileEvents 
-| where FileOriginReferrerUrl <> ""
+  | where FileOriginReferrerUrl <> ""
-| where FileName contains ".crx"
+  | where FileName contains ".crx"
-| project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
+  | project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML

@@ -5,23 +5,23 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceTvmSecureConfigurationAssessment
+  - DeviceTvmSecureConfigurationAssessment
 query: |
-let avmodetable = DeviceTvmSecureConfigurationAssessment
+  let avmodetable = DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId == "scid-2010" and isnotnull(Context)
+  | where ConfigurationId == "scid-2010" and isnotnull(Context)
-| extend avdata=parsejson(Context)
+  | extend avdata=parsejson(Context)
-| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown'))))
+  | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2',  'SxS Passive' ,'Unknown'))))
-| project DeviceId, AVMode;
+  | project DeviceId, AVMode;
-DeviceTvmSecureConfigurationAssessment
+  DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId == "scid-2011" and isnotnull(Context)
+  | where ConfigurationId == "scid-2011" and isnotnull(Context)
-| extend avdata=parsejson(Context)
+  | extend avdata=parsejson(Context)
-| extend AVSigVersion = tostring(avdata[0][0])
+  | extend AVSigVersion = tostring(avdata[0][0])
-| extend AVEngineVersion = tostring(avdata[0][1])
+  | extend AVEngineVersion = tostring(avdata[0][1])
-| extend AVSigLastUpdateTime = tostring(avdata[0][2])
+  | extend AVSigLastUpdateTime = tostring(avdata[0][2])
-| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
+  | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
-| join avmodetable on DeviceId
+  | join avmodetable on DeviceId
-| project-away DeviceId1
+  | project-away DeviceId1
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML

@@ -5,34 +5,34 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-let LastLogins=DeviceLogonEvents
+  let LastLogins=DeviceLogonEvents
     | where LogonType == "Interactive"
     | where InitiatingProcessParentFileName == "wininit.exe"
     | summarize LastLogon=arg_max(Timestamp, *) by AccountName, DeviceName
     | project AccountName, DeviceName, LastLogon;
-let Logins=DeviceLogonEvents
+  let Logins=DeviceLogonEvents
     | where LogonType == "Interactive"
     | where InitiatingProcessParentFileName == "wininit.exe"        
     | summarize Logins=count() by AccountName, DeviceName
     | project AccountName, Logins, DeviceName;
-let NetworkInfo=DeviceNetworkInfo
+  let NetworkInfo=DeviceNetworkInfo
     | where IPv4Dhcp <> ""
     | mvexpand parse_json(IPAddresses)
     | where IPAddresses.IPAddress !contains ":"
     | summarize arg_max(Timestamp, *) by DeviceName
     | project DeviceName, IPAddress=IPAddresses.IPAddress, Timestamp;
-Logins
+  Logins
-| join kind=inner ( LastLogins
+  | join kind=inner ( LastLogins
     | project AccountName, DeviceName, LastLogon
-) on DeviceName, AccountName
+  ) on DeviceName, AccountName
-| join kind=leftouter  ( NetworkInfo
+  | join kind=leftouter  ( NetworkInfo
     | project DeviceName, IPAddress, Timestamp
-) on DeviceName
+  ) on DeviceName
-| project AccountName, DeviceName, LastLogon, Logins, IPAddress
+  | project AccountName, DeviceName, LastLogon, Logins, IPAddress
-| sort by DeviceName
+  | sort by DeviceName
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML

@@ -5,52 +5,52 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - AlertEvidence
+  - AlertEvidence
 query: |
-//Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
+  //Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
-let _F = AlertEvidence
+  let _F = AlertEvidence
     | where DeviceName == "Yourendpointhere" 
     | distinct AlertId;
-let _Process = AlertEvidence
+  let _Process = AlertEvidence
     | where EntityType == "Process"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, FileName, FolderPath, SHA1, SHA256, FileSize, ProcessCommandLine, AdditionalFields;
-let _IP = AlertEvidence
+  let _IP = AlertEvidence
     | where EntityType == "Ip"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, RemoteIP, AdditionalFields;
-let _URL = AlertEvidence
+  let _URL = AlertEvidence
     | where EntityType == "Url"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, RemoteUrl, AdditionalFields;
-let _User = AlertEvidence
+  let _User = AlertEvidence
     | where EntityType == "User"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, AccountName, AccountDomain, AccountSid, AccountUpn, AdditionalFields;
-let _Machine = AlertEvidence
+  let _Machine = AlertEvidence
     | where EntityType == "Machine"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, DeviceName, LocalIP, AdditionalFields;
-_Machine
+  _Machine
-| join _F on $left.AlertId == $right.AlertId
+  | join _F on $left.AlertId == $right.AlertId
-| join _IP on $left.AlertId == $right.AlertId
+  | join _IP on $left.AlertId == $right.AlertId
-| join _Process on $left.AlertId == $right.AlertId
+  | join _Process on $left.AlertId == $right.AlertId
-| join _URL on $left.AlertId == $right.AlertId
+  | join _URL on $left.AlertId == $right.AlertId
-| join _User on $left.AlertId == $right.AlertId
+  | join _User on $left.AlertId == $right.AlertId
-| distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, 
+  | distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, 
     DeviceName, LocalIP, FileSize, FolderPath, SHA1, SHA256, ProcessCommandLine,
     RemoteIP, RemoteUrl
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML

@@ -5,18 +5,18 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceBaselineComplianceAssessment
+  - DeviceBaselineComplianceAssessment
 query: |
-//Find Windows Defender Settings
+  //Find Windows Defender Settings
-DeviceBaselineComplianceAssessment 
+  DeviceBaselineComplianceAssessment 
-| where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
+  | where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
-| project DeviceName, Source, CurrentValue
+  | project DeviceName, Source, CurrentValue
 
-//Find Windows Defender Security Center Settings
+  //Find Windows Defender Security Center Settings
-DeviceBaselineComplianceAssessment 
+  DeviceBaselineComplianceAssessment 
-| where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
+  | where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
-| project DeviceName, Source, CurrentValue
+  | project DeviceName, Source, CurrentValue
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML

@@ -5,14 +5,14 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-//Find LNK files on certain devices
+  //Find LNK files on certain devices
-DeviceFileEvents
+  DeviceFileEvents
-| where DeviceName  == "EndpointNameHere"
+  | where DeviceName  == "EndpointNameHere"
-| where FileName contains ".LNK" 
+  | where FileName contains ".LNK" 
-| project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
+  | project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML

@@ -5,29 +5,29 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-//Find Mounted ISO files and drive letters
+  //Find Mounted ISO files and drive letters
-DeviceFileEvents
+  DeviceFileEvents
-| where Timestamp > ago(1d)
+  | where Timestamp > ago(1d)
-| where FileName endswith "iso"
+  | where FileName endswith "iso"
-| project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
+  | project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
-| join kind = inner ( 
+   | join kind = inner ( 
     DeviceFileEvents
     | where Timestamp > ago(1d)
     | where FileName endswith "lnk" 
     | extend ['LNK FileName'] = FileName
     | project ['LNK FileName'], DeviceName
     ) on DeviceName
-| join kind = inner (
+  | join kind = inner (
     DeviceRegistryEvents 
     | where Timestamp > ago(1d)
     | where RegistryKey contains "MountedDevices"
     | project ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), DeviceName, RegistryValueName
     ) on DeviceName
-| where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
+  | where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
-| distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
+  | distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML

@@ -5,18 +5,18 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceProcessEvents
+  - DeviceProcessEvents
 query: |
-// Finds PowerShell execution events that could involve a download.
+  // Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents  
+  DeviceProcessEvents  
-| where Timestamp > ago(7d)
+  | where Timestamp > ago(7d)
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
+  | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
-| where ProcessCommandLine has "Net.WebClient"
+  | where ProcessCommandLine has "Net.WebClient"
         or ProcessCommandLine has "DownloadFile"
         or ProcessCommandLine has "Invoke-WebRequest"
         or ProcessCommandLine has "Invoke-Shellcode"
         or ProcessCommandLine has "http:"
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId
+  | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML

@@ -5,19 +5,19 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceInfo
+  - DeviceInfo
 query: |
-//Find status change from Exposurelevel 
+  //Find status change from Exposurelevel 
-DeviceInfo
+  DeviceInfo
-| serialize  
+  | serialize  
-| where ExposureLevel == "High"
+  | where ExposureLevel == "High"
-| where Timestamp > ago(12h)
+  | where Timestamp > ago(12h)
-| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
+  | extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
-| extend PrevExposureLevel = prev(ExposureLevel)
+  | extend PrevExposureLevel = prev(ExposureLevel)
-| where PrevExposureLevel <> ExposureLevel
+  | where PrevExposureLevel <> ExposureLevel
-| where ExposureLevel <> "Medium" or ExposureLevel <> "Low"
+  | where ExposureLevel <> "Medium" or ExposureLevel <> "Low"
-| where PrevExposureLevel  <> "High"
+  | where PrevExposureLevel  <> "High"
-| distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp
+  | distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML

@@ -5,17 +5,17 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-//List all PnP Devices that have been allowed or blocked
+  //List all PnP Devices that have been allowed or blocked
-DeviceEvents
+  DeviceEvents
-| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed"
+  | where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed"
-| extend parsed=parse_json(AdditionalFields)
+  | extend parsed=parse_json(AdditionalFields)
-| extend MediaClassGuid = tostring(parsed.ClassGuid)
+  | extend MediaClassGuid = tostring(parsed.ClassGuid)
-| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
+  | extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
-| extend MediaDeviceId = tostring(parsed.MatchingDeviceId)
+  | extend MediaDeviceId = tostring(parsed.MatchingDeviceId)
-| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields
+  | project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields
-| order by Timestamp desc
+  | order by Timestamp desc
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML

@@ -5,14 +5,14 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceInfo
+  - DeviceInfo
 query: |
-//List all devices that are not onboarded
+  //List all devices that are not onboarded
-DeviceInfo
+  DeviceInfo
-| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
+  | extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
-| where OnboardingStatus <> "Onboarded"
+  | where OnboardingStatus <> "Onboarded"
-| where Timestamp > ago(1d)
+  | where Timestamp > ago(1d)
-| distinct DeviceName, Date, OnboardingStatus, Timestamp
+  | distinct DeviceName, Date, OnboardingStatus, Timestamp
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML

@@ -5,14 +5,14 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceNetworkEvents
+  - DeviceNetworkEvents
 query: |
-//Network traffic going to DNS(Port 53)
+  //Network traffic going to DNS(Port 53)
-DeviceNetworkEvents
+  DeviceNetworkEvents
-| where RemotePort == "53"
+  | where RemotePort == "53"
-| where RemoteUrl <> ""
+  | where RemoteUrl <> ""
-| project Timestamp, DeviceName, RemotePort, RemoteUrl
+  | project Timestamp, DeviceName, RemotePort, RemoteUrl
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML

@@ -5,13 +5,13 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceNetworkEvents
+  - DeviceNetworkEvents
 query: |
-//Network traffic going to port 80 and 443
+  //Network traffic going to port 80 and 443
-DeviceNetworkEvents 
+  DeviceNetworkEvents 
-| where RemotePort == "80" or RemotePort == "443"
+  | where RemotePort == "80" or RemotePort == "443"
-| project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl
+  | project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML

@@ -5,12 +5,12 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceRegistryEvents
+  - DeviceRegistryEvents
 query: |
-//Detect Proxy configurations changes on endpoints
+  //Detect Proxy configurations changes on endpoints
-DeviceRegistryEvents 
+  DeviceRegistryEvents 
-| where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy"
+  | where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy"
-| project DeviceName, RegistryKey, RegistryValueName,RegistryValueData
+  | project DeviceName, RegistryKey, RegistryValueName,RegistryValueData
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML

@@ -5,13 +5,13 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-//Show usb mounted devices and drive letters
+  //Show usb mounted devices and drive letters
-DeviceEvents
+  DeviceEvents
-| where ActionType contains "USB"
+  | where ActionType contains "USB"
-| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
+  | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
-| distinct DeviceName, ActionType, DriveLetter, Timestamp
+  | distinct DeviceName, ActionType, DriveLetter, Timestamp
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML

@@ -5,20 +5,20 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-//Show usb mounted and files copied
+  //Show usb mounted and files copied
-DeviceEvents
+  DeviceEvents
-| where ActionType contains "USB"
+  | where ActionType contains "USB"
-| where Timestamp > ago(1d)
+  | where Timestamp > ago(1d)
-| project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
+  | project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
-| join (DeviceFileEvents
+  | join (DeviceFileEvents
     | where Timestamp > ago(1d)
     | where ActionType == "FileCreated"
     | parse FolderPath with DriveLetter '\\' *
     | extend DriveLetter = tostring(DriveLetter))on DeviceName, DriveLetter
-| project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize
+  | project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML

@@ -5,23 +5,23 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceNetworkEvents
+  - DeviceNetworkEvents
 query: |
-DeviceNetworkEvents 
+  DeviceNetworkEvents 
-| where RemoteUrl <> ""
+  | where RemoteUrl <> ""
-| extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
+  | extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
-| join kind=leftouter (DeviceEvents
+  | join kind=leftouter (DeviceEvents
     | where ActionType == 'SmartScreenUrlWarning' or ActionType == 'ExploitGuardNetworkProtectionBlocked'
     | extend A=parse_json(AdditionalFields)
     | extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
     ) on DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountName, TimeStampformated
-| where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe"
+  | where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe"
-//| where RemoteUrl contains "facebook"
+  //| where RemoteUrl contains "facebook"
-//| where InitiatingProcessAccountName contains "Matt"
+  //| where InitiatingProcessAccountName contains "Matt"
-//| where ActionType1 <> ""
+  //| where ActionType1 <> ""
-| distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName
+  | distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName
-| order by TimeStampformated desc
+  | order by TimeStampformated desc
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML

@@ -5,13 +5,13 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceTvmSoftwareInventory
+  - DeviceTvmSoftwareInventory
 query: |
-//Software Inventory by OS
+  //Software Inventory by OS
-DeviceTvmSoftwareInventory 
+  DeviceTvmSoftwareInventory 
-| where OSPlatform contains "iOS"
+  | where OSPlatform contains "iOS"
-| project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion
+  | project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML

@@ -5,31 +5,31 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - IdentityDirectoryEvents
+  - IdentityDirectoryEvents
 tactics:
 - Credential Access
 query: |
-//Moving User Objects to different OUs 
+  //Moving User Objects to different OUs 
-IdentityDirectoryEvents
+  IdentityDirectoryEvents
-| where ActionType == 'Account Path changed' 
+  | where ActionType == 'Account Path changed' 
-| extend parsed=parse_json(AdditionalFields)
+  | extend parsed=parse_json(AdditionalFields)
-| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
+  | extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
-| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
+  | extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
-| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
+  | extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
-| extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"])
+  | extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"])
-| where TargetDeviceName == ""
+  | where TargetDeviceName == ""
-| project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields
+  | project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields
 
-//Moving Computer Objects to different OUs 
+  //Moving Computer Objects to different OUs 
-IdentityDirectoryEvents
+  IdentityDirectoryEvents
-| where ActionType == 'Account Path changed' 
+  | where ActionType == 'Account Path changed' 
-| extend parsed=parse_json(AdditionalFields)
+  | extend parsed=parse_json(AdditionalFields)
-| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
+  | extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
-| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
+  | extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
-| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
+  | extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
-| where TargetDeviceName <> ""
+  | where TargetDeviceName <> ""
-| project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields
+  | project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml

@@ -2,12 +2,17 @@ id: 518e6938-10ef-4165-af19-82f1287141bc
 name: ATP policy status check
 description: |
   This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
+description-detailed: |
+  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   CloudAppEvents
   | where Application == "Microsoft Exchange Online"
@@ -19,3 +24,4 @@ query: |
   | extend packed = pack(Name, Value)
   | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
   | evaluate bag_unpack(PackedInfo)
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml

@@ -2,12 +2,17 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
 name: JNLP-File-Attachment
 description: |
   JNLP file extensions are an uncommon file type often used to deliver malware.
+description-detailed: |
+  JNLP file extensions are an uncommon file type often used to deliver malware.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailAttachmentInfo
 tactics:
-- Initial access
+- InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailAttachmentInfo
   | where FileName endswith ".jnlp"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml

@@ -2,12 +2,17 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05
 name: Safe Attachments detections
 description: |
   This query provides insights on the detections done by Safe Attachment detections
+description-detailed: |
+  This query provides insights on the detections done by Safe Attachment detections.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where DetectionMethods != "" 
@@ -15,3 +20,4 @@ query: |
   | where detection has "File detonation reputation" or detection has "File detonation"
   | summarize total=count() by bin(Timestamp, 1d) 
   | order by Timestamp asc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml

@@ -2,12 +2,17 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
 name: Authentication failures by time and authentication type
 description: |
   This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
+description-detailed: |
+  This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago (30d)
@@ -15,3 +20,4 @@ query: |
   | evaluate bag_unpack(AR)
   | where DMARC == "fail"
   | summarize count() by bin(Timestamp, 1d)
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml

@@ -1,16 +1,22 @@
 id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
 name: Spoof attempts with auth failure
 description: |
-  this query helps in checking for spoofing attempts on the domain with Authentication failures
+  This query helps in checking for spoofing attempts on the domain with Authentication failures
+description-detailed: |
+  This query helps in checking for spoofing attempts on the domain with Authentication failures.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
   | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
   | evaluate bag_unpack(AR)  
   | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml

@@ -1,13 +1,18 @@
 id: ba1a91ad-1f99-4386-b191-06a76ef213f8
 name: Audit Email Preview-Download action
 description: |
-  This query helps report on who Previewed/Downloaded email messages using Email entitiy page in MDO
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+description-detailed: |
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - CloudAppEvents
 tactics:
-- Privilege escalation
+- PrivilegeEscalation
+relevantTechniques:
+  - T1078
 query: |
   CloudAppEvents
   | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) 
@@ -20,4 +25,5 @@ query: |
   | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
   | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName),  DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
   | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
-  | project-away RowNumber
+  | project-away RowNumber
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml

@@ -1,14 +1,20 @@
 id: bc2d8214-afb6-4876-b210-25b69325b9b2
 name: Hunt for TABL changes
 description: |
-  This query helps hunting for Tenant allow/block list (TABL) changes in MDO
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+description-detailed: |
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - CloudAppEvents
 tactics:
-- Defense evasion
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   CloudAppEvents
   | where ActionType contains "TenantAllowBlockListItems"
-  | order by Timestamp desc
+  | order by Timestamp desc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml

@@ -1,15 +1,20 @@
 id: 712ffdd8-ddce-4372-85dd-063029b418cf
 name: Local time to UTC time conversion
 description: |
-  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
+  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
+description-detailed: |
+  This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
   | where DeliveryAction == "Delivered"
   | where LatestDeliveryLocation == "Quarantine"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml

@@ -1,7 +1,10 @@
 id: deb4b2c6-c10e-4044-8cf4-84243e40db73
 name: MDO daily detection summary report
 description: |
-  This query helps report daily on total # of emails, total # of emails detected as Malware, Phish, Spam, Bulk, total number of user/admin submissions, total # of ZAP events, total # of AIR investigations and their result
+  This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
+description-detailed: |
+  This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
@@ -10,7 +13,9 @@ requiredDataConnectors:
   - EmailEvents
   - EmailPostDeliveryEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let QueryTime = 30d;
   let Reports = CloudAppEvents 
@@ -57,4 +62,5 @@ query: |
   | join kind=fullouter ThreatByAutomation on Date_value
   | sort by Date_value asc
   | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
-  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
+  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml

@@ -2,15 +2,20 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
 name: Mail item accessed
 description: |
   This query helps reviewing emails accessed by end users using cloud app events data
+description-detailed: |
+  This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents
   | where Timestamp > ago(30d)
   | extend Record= (parse_json(RawEventData)).RecordType
   | where Record == 50
   | take 10
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml

@@ -1,13 +1,17 @@
 id: 63c799bc-7567-4e4d-97be-e143fcfaa333
 name: Malicious email senders
 description: |
-  This query helps reviewing emails from sender with atleast one email in quarantine
+  This query helps hunting for emails from a sender with at least one email in quarantine
+description-detailed: |
+  This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let SenderWithQuarantine = EmailEvents
   | where LatestDeliveryLocation == "Quarantine"
@@ -15,3 +19,4 @@ query: |
   EmailEvents
   | where LatestDeliveryLocation == "Inbox/folder"
   | where SenderFromAddress in (SenderWithQuarantine)
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml

@@ -1,15 +1,18 @@
 id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
 name: New TABL Items
 description: |
-  Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
+description-detailed: |
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - CloudAppEvents
 tactics:
-- DefenseEvasion
+  - DefenseEvasion
 relevantTechniques:
-  - T1484
+  - T1562
 query: |
   CloudAppEvents
   | where ActionType == "New-TenantAllowBlockListItems"
@@ -27,3 +30,4 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: AccountUpn
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml

@@ -0,0 +1,18 @@
+id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
+name: Emails containing links to IP addresses
+description: |
+  This query helps hunting for Emails containing links to IP addresses
+description-detailed: |
+  This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailUrlInfo
+  | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml

@@ -0,0 +1,30 @@
+id: e6259b03-622e-4e11-9c54-94987dad7c14
+name: Good emails from senders with bad patterns
+description: |
+  This query helps hunting for good emails from senders with bad patterns
+description-detailed: |
+  This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+    //Good emails from senders with bad patterns
+    let PctPhishThreshold = 50;
+    let LookbackWindow = 1d;
+     EmailEvents
+    | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
+    | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
+    | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
+    | project-away SenderMailFromAddress1,AuthenticationDetails1
+    | extend PctPhish = (PhishCount*100 / TotalCount)
+    | where PctPhish < 100 and PctPhish>= PctPhishThreshold
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml

@@ -2,12 +2,16 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
 name: Hunt for email conversation take over attempts
 description: |
   This query helps hunting for email conversation take over attempts
+description-detailed: |
+  This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let emailDelivered = EmailEvents
   | where Timestamp < ago(4hrs)
@@ -32,4 +36,5 @@ query: |
   and Pair1 == ""
   | join kind=leftouter (EmailDomains) on SenderFromDomain
   | where SenderFromDomain1 == ""
-  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml

@@ -2,13 +2,18 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167
 name: Hunt for malicious URLs using external IOC source
 description: |
   This query helps hunt for emails with malicious URLs based on external IOC source
+description-detailed: |
+  This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
+  Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailUrlInfo
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let url = (externaldata(url: string )
   [@"https://urlhaus.abuse.ch/downloads/text_online/"]
@@ -19,4 +24,5 @@ query: |
   | where Timestamp > ago(2h) 
   ) on $left.url == $right.Url
   |join EmailEvents on NetworkMessageId
-  |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
+  |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml

@@ -2,12 +2,17 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
 name: Hunt for malicious attachments using external IOC source
 description: |
   This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
+description-detailed: |
+  This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
+  Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailAttachmentInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let abuse_sha256 = (externaldata(sha256_hash: string)
   [@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
@@ -18,4 +23,5 @@ query: |
   | join (EmailAttachmentInfo
   | where Timestamp > ago(1d)
   ) on $left.sha256_hash == $right.SHA256
-  | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
+  | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml

@@ -2,14 +2,20 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
 name: Inbox rule changes which forward-redirect email
 description: |
   This query helps hunting for Inbox rule changes which forward-redirect email
+description-detailed: |
+  This query helps hunting for Inbox rule changes which forward-redirect email
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - CloudAppEvents
 tactics:
-- Persistence
+  - Persistence
+relevantTechniques:
+  - T1098
 query: |
   CloudAppEvents
   | where ActionType contains "Set-InboxRule"
   |extend Parameters = tostring((parse_json(RawEventData)).Parameters)
-  |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
+  |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML

@@ -2,19 +2,25 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2
 name: MDO_CountOfRecipientsEmailaddressbySubject
 description: |
   Count of recipient's email addresses by subject
+description-detailed: |
+  Count of recipient's email addresses by subject
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Count of recipient's email addresses by subject
+  //Count of recipient's email addresses by subject
-EmailEvents
+  EmailEvents
-//Change the date for as far back as you want to go
+  //Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
+  | where Timestamp > ago(10d)
-| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
+  | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
+  //Change the Count of how many times the email with the same subject has come in
-| where CountRecipientEmailAddress >= 15
+  | where CountRecipientEmailAddress >= 15
-| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
+  | project RecipientEmailAddress, CountRecipientEmailAddress, Subject
 metadata:
     source:
         kind: Community
@@ -23,4 +29,5 @@ metadata:
     support:
         tier: Community
     categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML

@@ -2,19 +2,25 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6
 name: MDO_CountOfSendersEmailaddressbySubject
 description: |
   Count of sender's email addresses by subject
+description-detailed: |
+  Count of sender's email addresses by subject
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Count of sender's email addresses by subject
+  //Count of sender's email addresses by subject
-EmailEvents
+  EmailEvents
-//Change the date for as far back as you want to go
+  //Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
+  | where Timestamp > ago(10d)
-| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
+  | summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
+  //Change the Count of how many times the email with the same subject has come in
-| where CountSenderFromAddress >= 10
+  | where CountSenderFromAddress >= 10
-| project SenderFromAddress, CountSenderFromAddress, Subject
+  | project SenderFromAddress, CountSenderFromAddress, Subject
 metadata:
     source:
         kind: Community
@@ -23,4 +29,5 @@ metadata:
     support:
         tier: Community
     categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML

@@ -1,20 +1,26 @@
 id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4
 name: MDO_Countofrecipientsemailaddressesbysubject
 description: |
-  Count of recipient's email addresses by subject 
+  Count of recipient's email addresses by subject
+description-detailed: |
+  Count of recipient's email addresses by subject  
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566  
 query: |
-//Count of recipient's email addresses by subject
+  //Count of recipient's email addresses by subject
-EmailEvents
+  EmailEvents
-//Change the date for as far back as you want to go
+  //Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
+  | where Timestamp > ago(10d)
-| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
+  | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
+  //Change the Count of how many times the email with the same subject has come in
-| where CountRecipientEmailAddress >= 15
+  | where CountRecipientEmailAddress >= 15
-| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
+  | project RecipientEmailAddress, CountRecipientEmailAddress, Subject
 metadata:
     source:
         kind: Community
@@ -23,4 +29,5 @@ metadata:
     support:
         tier: Community
     categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML

@@ -2,20 +2,26 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987
 name: MDO_SummaryOfSenders
 description: |
   Count of all Senders and where they were delivered
+description-detailed: |
+  Count of all Senders and where they were delivered
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Distinct Count
+  //Distinct Count
-EmailEvents
+  EmailEvents
-| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
+  | summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
     Emails = count_distinct(DeliveryLocation == "Inbox/folder"),
     JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress
 
-//Count of all Senders and where they were delivered
+  //Count of all Senders and where they were delivered
-EmailEvents
+  EmailEvents
-| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
+  | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
     Emails = count(DeliveryLocation == "Inbox/folder"),
     JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress
 metadata:
@@ -26,4 +32,5 @@ metadata:
     support:
         tier: Community
     categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML

@@ -2,15 +2,21 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6
 name: MDO_URLClickedinEmail
 description: |
   URLs clicked in Email
+description-detailed: |
+  URLs clicked in Email
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - UrlClickEvents
+  - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-UrlClickEvents
+  UrlClickEvents
-| where ActionType == "ClickAllowed"
+  | where ActionType == "ClickAllowed"
-//| where ActionType <> "ClickAllowed"
+  //| where ActionType <> "ClickAllowed"
-| project AccountUpn, ActionType, Url
+  | project AccountUpn, ActionType, Url
 metadata:
     source:
         kind: Community
@@ -19,4 +25,5 @@ metadata:
     support:
         tier: Community
     categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml

@@ -2,12 +2,17 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6
 name: Detections by detection methods
 description: |
   This query helps reviewing malicious email detections by detection methods
+description-detailed: |
+  This query helps reviewing malicious email detections by detection methods in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(7d)
@@ -38,3 +43,4 @@ query: |
               Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d)
   | project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain,
   Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml

@@ -2,12 +2,16 @@ id: da7b973a-0045-4fd6-9161-269369336d24
 name: Mail reply to new domain
 description: |
   This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
+description-detailed: |
+  This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let emailDelivered = EmailEvents
   | where Timestamp < ago(4hrs)
@@ -33,3 +37,4 @@ query: |
   | join kind=leftouter (EmailDomains) on SenderFromDomain
   | where SenderFromDomain1 == ""
   | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml

@@ -2,15 +2,20 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499
 name: Mailflow by directionality
 description: |
   This query helps reviewing inbound / outbound / intra-org emails by domain per day
+description-detailed: |
+  This query helps reviewing inbound / outbound / intra-org emails by domain per day
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d)
   | extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1) 
   | summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d) 
   | order by Timestamp asc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml

@@ -2,12 +2,16 @@ id: da932998-81dd-4be4-963c-f4890cb4192e
 name: Malicious emails detected per day
 description: |
   This query helps reviewing Malware, Phishing, Spam emails caught per day
+description-detailed: |
+  This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where DetectionMethods != "" 
@@ -22,3 +26,4 @@ query: |
       'Spam') 
   | summarize total=count() by detection, bin(Timestamp, 1d) 
   | order by Timestamp asc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml

@@ -2,12 +2,16 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857
 name: Sender recipient contact establishment
 description: |
   This query helps in checking the sender-recipient contact establishment status
+description-detailed: |
+  This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let emailDelivered = EmailEvents
   | where Timestamp < ago(30d)
@@ -28,3 +32,4 @@ query: |
   | join kind=leftanti  ( emailDelivered ) on SenderFromAddress
   | order by SenderMailFromAddress
   | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml

@@ -1,16 +1,21 @@
 id: 12225f50-9d41-4b78-8269-cc127d98654c
 name: Top 100 malicious email senders
 description: |
-  This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days
+  This query helps reviewing top 100 malicious senders
+description-detailed: |
+  This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
   | where ThreatTypes has "Phish" or ThreatTypes has "Malware" 
   | summarize total=count() by SenderMailFromAddress 
   | top 100 by total
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml

@@ -2,14 +2,19 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
 name: Top 100 senders
 description: |
   This query helps reviewing top 100 senders in your organization in last 30 days
+description-detailed: |
+  This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d)
   | summarize mailCountBySender = count() by SenderMailFromAddress 
   | top 100 by mailCountBySender
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml

@@ -2,14 +2,19 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
 name: Zero day threats
 description: |
   This query helps reviewing zero day threats via URL and file detonations
+description-detailed: |
+  This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d) 
   | where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" 
   | count
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml

@@ -1,7 +1,9 @@
 id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
 name: Email containing malware accessed on a unmanaged device
 description: |
-  In this query, we looking for emails containing malware accessed on a unmanaged device
+  In this query, we are looking for emails containing malware accessed on a unmanaged device
+description-detailed: |
+  In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
@@ -9,7 +11,9 @@ requiredDataConnectors:
    - CloudAppEvents
    - AADSignInEventsBeta
 tactics:
-- Malware
+  - Execution
+relevantTechniques:
+  - T1204
 query: |
   EmailPostDeliveryEvents
   | where ActionType == "Malware ZAP"
@@ -22,4 +26,5 @@ query: |
   ) on InternetMessageId
   | where isnotempty(SessionId)
   | join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
-  | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
+  | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml

@@ -1,15 +1,20 @@
 id: 07c85687-6dee-4266-9345-1e34de85d989
 name: Email containing malware sent by an internal sender
 description: |
-  In this query, we looking for emails containing malware attachment sent by an internal sender
+  In this query, we are looking for emails containing malware attachment sent by an internal sender
+description-detailed: |
+  In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
    - EmailEvents
 tactics:
-- Malware
+  - LateralMovement
+relevantTechniques:
+  - T1534
 query: |
   EmailEvents
   | where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
   | where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
-  | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
+  | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml

@@ -2,13 +2,17 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
 name: Email malware detection report
 description: |
   This query helps reviewing email malware detection cases
+description-detailed: |
+  This query helps reviewing email malware detection cases in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - EmailAttachmentInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
@@ -19,3 +23,4 @@ query: |
   | extend Case = array_length(ThreatFamily_wih_Attachment)
   | project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment 
   | sort by Case desc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml

@@ -2,12 +2,16 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda
 name: Malware detections by detection methods
 description: |
   This query helps reviewing malware detections by detection methods
+description-detailed: |
+  This query helps reviewing malware detections by detection methods in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
@@ -25,3 +29,4 @@ query: |
           )
   | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
   | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml

@@ -2,14 +2,20 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8
 name: Admin overrides
 description: |
   This query helps in reviewing malicious emails allowed due to admin overrides
+description-detailed: |
+  This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   EmailEvents
   | where DeliveryLocation == "Inbox/folder" 
   | where isnotempty(ThreatTypes) and OrgLevelAction == "Allow" 
   | count
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml

@@ -2,13 +2,19 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2
 name: Top policies performing admin overrides
 description: |
   This query helps in reviewing top policies for admin overrides (Allow/Block)
+description-detailed: |
+  This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   EmailEvents  
   | where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow"  //"Block"
   | summarize count() by OrgLevelPolicy
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml

@@ -2,13 +2,19 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
 name: Top policies performing user overrides
 description: |
   This query helps in reviewing top policies for user overrides (Allow/Block)
+description-detailed: |
+  This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   EmailEvents
   | where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
   | summarize count() by UserLevelPolicy
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml

@@ -2,14 +2,20 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9
 name: User overrides
 description: |
   This query helps in reviewing malicious emails allowed due to user overrides
+description-detailed: |
+  This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
   EmailEvents
   | where DeliveryLocation == "Inbox/folder" 
   | where isnotempty(ThreatTypes) and UserLevelAction == "Allow" 
   | count
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml

@@ -1,6 +1,8 @@
 id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
 name: Appspot Phishing Abuse
 description: |
+  This query helps surface phishing campaigns associated with Appspot abuse.
+description-detailed: |
   This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
   This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
   Reference - https://twitter.com/MsftSecIntel
@@ -10,7 +12,9 @@ requiredDataConnectors:
   - EmailUrlInfo
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailUrlInfo
   // Detect URLs with a subdomain on appspot.com
@@ -23,4 +27,5 @@ query: |
   | where Url has RecipientEmailAddress
       // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
       or Url has base64_encode_tostring(RecipientEmailAddress)
-  | project-away Timestamp1, NetworkMessageId1, ReportId1 
+  | project-away Timestamp1, NetworkMessageId1, ReportId1
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml

@@ -1,13 +1,17 @@
 id: 9d59be10-54d9-478b-b669-fb4eb8517cd0
 name: Phish detections by detection methods
 description: |
-  This query helps reviewing detections done by some of the most frequent detection technologies in the last 7 days
+  This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days
+description-detailed: |
+  This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(7d)
@@ -32,3 +36,4 @@ query: |
           )
   | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
   | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml

@@ -1,13 +1,18 @@
 id: 25150085-015a-4673-9b67-bc6ad9475500
 name: Campaign with randomly named attachments
 description: |
-  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients, typically more than 50, can potentially indicate a QR code phishing campaign
+  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
+description-detailed: |
+  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailAttachmentInfo
   | where Timestamp > ago(7d)
@@ -15,4 +20,5 @@ query: |
   | where isnotempty(FileName)
   | extend firstFourFileName = substring(FileName, 0, 4)
   | summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
-  | where FirstFourFilesCount >= 10
+  | where FirstFourFilesCount >= 10
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml

@@ -2,12 +2,17 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581
 name: Campaign with suspicious keywords
 description: |
   In this detection, we track emails with suspicious keywords in subjects.
+description-detailed: |
+  In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let PhishingKeywords = ()
   {pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
@@ -16,4 +21,5 @@ query: |
   | where EmailDirection == "Inbound"
   | where DeliveryAction == "Delivered"
   | where isempty(SenderObjectId)
-  | where Subject has_any (PhishingKeywords())
+  | where Subject has_any (PhishingKeywords())
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml

@@ -2,13 +2,18 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
 name: Custom detection-Emails with QR from non-prevalent senders
 description: |
   In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
+description-detailed: |
+  In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let QRCode_emails = EmailUrlInfo
   | where Timestamp > ago (2d)
@@ -42,4 +47,5 @@ query: |
   | where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
   | join kind=inner senders_NMIDs on NetworkMessageId
   | project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
-  QRCode_emails_from_non_prevalent_senders
+  QRCode_emails_from_non_prevalent_senders
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml

@@ -2,13 +2,18 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e
 name: Emails delivered having URLs from QR codes
 description: |
   In this query, we hunt for inbound emails delivered having URLs from QR codes
+description-detailed: |
+  In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
@@ -16,4 +21,5 @@ query: |
   | where DeliveryAction == "Delivered"
   | join EmailUrlInfo on NetworkMessageId
   | where UrlLocation == "QRCode"
-  | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
+  | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml

@@ -2,13 +2,18 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697
 name: Emails with QR codes and suspicious keywords in subject
 description: |
   In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
+description-detailed: |
+  In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let SubjectKeywords = ()
   {pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password",  "payment", "urgent", "verify");};
@@ -18,4 +23,5 @@ query: |
   | where DeliveryAction == "Delivered"
   | where Subject has_any (SubjectKeywords)
   | join EmailUrlInfo on NetworkMessageId
-  | where UrlLocation == "QRCode"
+  | where UrlLocation == "QRCode"
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml

@@ -2,13 +2,18 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa
 name: Emails with QR codes from non-prevalent sender
 description: |
   In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
+description-detailed: |
+  In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let senderprevalence =
   EmailEvents
@@ -27,4 +32,5 @@ query: |
   | join EmailUrlInfo on NetworkMessageId
   | where UrlLocation == "QRCode"
   | distinct SenderFromAddress,Url,NetworkMessageId;
-  QR_from_non_prevalent
+  QR_from_non_prevalent
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml

@@ -2,13 +2,17 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
 name: Hunting for sender patterns
 description: |
   In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
+description-detailed: |
+  In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailAttachmentInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let PhishingSenderDisplayNames = ()
   {
@@ -39,4 +43,5 @@ query: |
   | distinct SenderFromDomain);
   suspiciousEmails
   | where SenderFromDomain !in (prevalentSenders)
-  | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
+  | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml

@@ -1,13 +1,17 @@
 id: 8c852f12-499f-499b-afc1-25c50aa9b462
 name: Hunting for user signals-clusters
 description: |
-  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify th escope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table
+  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
+description-detailed: |
+  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let suspiciousClusters = EmailEvents
   | where Timestamp > ago(7d)
@@ -18,4 +22,5 @@ query: |
   | where Timestamp > ago(7d)
   | where EmailDirection == "Inbound"
   | where EmailClusterId in (suspiciousClusters)
-  | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
+  | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml

@@ -2,13 +2,18 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6
 name: Inbound emails with QR code URLs
 description: |
   In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
+description-detailed: |
+  In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
@@ -16,4 +21,5 @@ query: |
   | join EmailUrlInfo on NetworkMessageId
   | where UrlLocation == "QRCode"
   | summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
-  | render timechart
+  | render timechart
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml

@@ -1,13 +1,17 @@
 id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
 name: Personalized campaigns based on the first few keywords
 description: |
-  In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
+  In this detection, we track emails with personalized subjects. 
+description-detailed: |
+   In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(1d)
@@ -17,4 +21,5 @@ query: |
   | extend words = split(Subject," ")
   | project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
   | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
-  | where SubjectsCount >= 10
+  | where SubjectsCount >= 10
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml

@@ -1,13 +1,17 @@
 id: 54d3455d-27e0-4ceb-99f9-375abd620151
 name: Personalized campaigns based on the last few keywords
 description: |
-  In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
+  In this detection, we track emails with personalized subjects.
+description-detailed: |
+  In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(1d)
@@ -17,4 +21,5 @@ query: |
   | extend words = split(Subject," ")
   | project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
   | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
-  | where SubjectsCount >= 10
+  | where SubjectsCount >= 10
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml

@@ -1,13 +1,18 @@
 id: 8d298b5c-feca-4add-bd42-e43e0a317a88
 name: Risky sign-in attempt from a non-managed device
 description: |
+  In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
+description-detailed: |
   In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   AADSignInEventsBeta
   | where Timestamp > ago(7d)
@@ -22,4 +27,5 @@ query: |
   | where isnotempty(AccountObjectId)
   | where isempty(DeviceName)
   | where isempty(AadDeviceId)
-  | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
+  | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml

@@ -1,14 +1,19 @@
 id: 3131d0ba-32c9-483e-a25c-82e26a07e116
 name: Suspicious sign-in attempts from QR code phishing campaigns
 description: |
+  This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
+description-detailed: |
   This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - CloudAppEvents
   - AADSignInEventsBeta
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let successfulRiskySignIn = materialize(AADSignInEventsBeta
   | where Timestamp > ago(1d)
@@ -38,4 +43,5 @@ query: |
   | extend items = folders.FolderItems
   | mv-expand items
   | extend InternetMessageId = tostring(items.InternetMessageId)
-  | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
+  | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml

@@ -1,14 +1,18 @@
 id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
 name: Group quarantine release
 description: |
-  This query helps in reviewing group released messages by detection type. Useful to see what is leading to the largest number of messages being released.
+  This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
+description-detailed: |
+  This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents 
   | where ActionType == "QuarantineReleaseMessage"
@@ -17,3 +21,4 @@ query: |
   | join EmailEvents on NetworkMessageId
   | summarize count() by DetectionMethods
   | order by count_ desc
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml

@@ -1,14 +1,18 @@
 id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
 name: High Confidence Phish Released
 description: |
-  This query shows information about high confidence phish email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
+  This query shows information about high confidence phish email that has been released from the Quarantine.
+description-detailed: |
+  This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents 
   | where ActionType == "QuarantineReleaseMessage"
@@ -19,4 +23,5 @@ query: |
     | project-rename EmailTime = Timestamp
     ) on NetworkMessageId
   | project-away NetworkMessageId1
-  | order by ReleaseTime asc
+  | order by ReleaseTime asc
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml

@@ -1,14 +1,19 @@
 id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
 name: Quarantine Release Email Details
 description: |
-  This query shows information about email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
+  This query shows information about email that has been released from the Quarantine in Defender for Office 365.
+description-detailed: |
+  This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents 
   | where ActionType == "QuarantineReleaseMessage"
@@ -18,4 +23,5 @@ query: |
     | project-rename EmailTime = Timestamp
     ) on NetworkMessageId
   | project-away NetworkMessageId1
-  | order by ReleaseTime asc 
+  | order by ReleaseTime asc
+version: 1.0.0  

Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml

@@ -1,16 +1,22 @@
 id: 9f135aef-ad25-4df2-bdab-8399978a36a2
 name: Quarantine release trend
 description: |
-  This query helps reviewing quarantine release trend
+  This query helps reviewing quarantine release trend in Defender for Office 365
+description-detailed: |
+  This query helps reviewing quarantine release trend in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents
   | where ActionType == "QuarantineReleaseMessage"
   | summarize count() by bin(Timestamp, 1d)
   | project-rename Releases = count_
   | render timechart with (title="Qurantine Releases by Day")
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml

@@ -1,6 +1,9 @@
 id: 99713387-9d61-49eb-8edc-f51153d8bb01
 name: Listing Email Remediation Actions via Explorer
 description: |
+  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
+description-detailed: |
+  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
   - Track each cases with Network Message ID
   - Sort the users who got a number of actions 
   - e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items 
@@ -8,7 +11,10 @@ requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
-tactics: []
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   | where Timestamp > ago(30d)
@@ -23,4 +29,5 @@ query: |
   | extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
   | extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
   | project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
-  | order by Sum_case desc 
+  | order by Sum_case desc
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml

@@ -2,19 +2,23 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
 name: Display Name - Spoof and Impersonation
 description: |
   This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
+description-detailed: |
+  This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let emailDelivered = EmailEvents
   | where Timestamp < ago(24hrs)
   and DeliveryAction == "Delivered"
   and SenderDisplayName contains "Microsoft"
   | summarize count() by SenderFromAddress
-  | where count_ > 3 // ensuring that some level of communications has occured.
+  | where count_ > 3 // ensuring that some level of communications has occurred.
   | project SenderFromAddress;
   EmailEvents
   | where Timestamp > ago(24hrs)
@@ -27,4 +31,5 @@ query: |
   | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
   | join kind=leftanti  ( emailDelivered ) on SenderFromAddress
   | order by SenderMailFromAddress
-  | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+  | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml

@@ -1,6 +1,8 @@
 id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
 name: referral-phish-emails
 description: |
+  Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
+description-detailed: |
   The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
@@ -8,7 +10,9 @@ requiredDataConnectors:
   - EmailEvents
   - EmailUrlInfo
 tactics:
-- Credential Access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let EmailAddresses = pack_array
   ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
@@ -20,3 +24,4 @@ query: |
   | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
   | where SenderFromDomain == RecipientDomain
   | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml

@@ -2,14 +2,20 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e
 name: Spoof and impersonation detections by sender IP
 description: |
   This query helps reviewing count of spoof and impersonation detections done per sender IP
+description-detailed: |
+  This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
   - EmailEvents
 tactics:
-- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")  
   | project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4 
   | summarize count() by SenderIPv4
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml

@@ -2,15 +2,21 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
 name: Spoof and impersonation phish detections
 description: |
   This query helps reviewing count of phish detections done by spoof detection methods
+description-detailed: |
+  This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents
   |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
   | project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
   | evaluate bag_unpack(DT)
   | summarize count() by tostring(Phish)
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml

@@ -2,13 +2,17 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
 name: User not covered under display name impersonation
 description: |
   This query helps to find threats using display name impersonation for users not already protected with User Impersonation
+description-detailed: |
+  This query helps to find threats using display name impersonation for users not already protected with User Impersonation
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - IdentityInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let display_names = 
   IdentityInfo 
@@ -21,3 +25,4 @@ query: |
     | lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName 
     | where SenderDisplayName != "" 
     | summarize by SenderDisplayName
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml

@@ -2,12 +2,16 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
 name: Admin reported submissions
 description: |
   This query helps reviewing admin reported email submissions
+description-detailed: |
+  This query helps reviewing admin reported email submissions in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents 
   | where Timestamp > ago(30d) 
@@ -15,3 +19,4 @@ query: |
   | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
   | where Record == 29 
   | where ActionType == "AdminSubmission"
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml

@@ -2,12 +2,16 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f
 name: Status of submissions
 description: |
   This query helps reviewing status of submissions
+description-detailed: |
+  This query helps reviewing status of submissions in Defender for Office 365.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents
   | where Timestamp > ago(30d) 
@@ -18,3 +22,4 @@ query: |
   | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" 
   | summarize count() by tostring(SubmissionState) 
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml

@@ -2,12 +2,16 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc
 name: Top submitters of admin submissions
 description: |
   This query helps reviewing top submitters of admin submissions
+description-detailed: |
+  This query helps reviewing top submitters of admin submissions in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents
   | where Timestamp > ago(30d) 
@@ -18,3 +22,4 @@ query: |
   | where ActionType == "AdminSubmission" 
   | summarize count() by tostring(UserKey) 
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml

@@ -2,12 +2,16 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f
 name: Top submitters of user submissions
 description: |
   This query helps reviewing top submitters of user submissions
+description-detailed: |
+  This query helps reviewing top submitters of user submissions in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents
   | where Timestamp > ago(30d) 
@@ -18,3 +22,4 @@ query: |
   | where ActionType == "UserSubmission" 
   | summarize count() by tostring(UserKey) 
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml

@@ -2,12 +2,16 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50
 name: User reported submissions
 description: |
   This query helps reviewing user reported email submissions
+description-detailed: |
+  This query helps reviewing user reported email submissions in Defender for Office 365
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   CloudAppEvents 
   | where Timestamp > ago(30d) 
@@ -15,3 +19,4 @@ query: |
   | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
   | where Record == 29 
   | where ActionType == "UserSubmission"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml

@@ -1,13 +1,17 @@
 id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
 name: Attacked more than x times average
 description: |
-  This query helps reviewing count of users attacked more than x times average. Update the value of x in the query to get desired results.
+  This query helps reviewing count of users attacked more than x times average.
+description-detailed: |
+  This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let AverageThreatPerRecipient = toscalar(EmailEvents 
   | where DetectionMethods != "" 
@@ -17,3 +21,4 @@ query: |
   | where DetectionMethods != "" 
   | summarize total=count() by RecipientEmailAddress 
   | where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml

@@ -2,15 +2,20 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
 name: Malicious mails by sender IPs
 description: |
   This query helps reviewing sender IPs sending malicious email of type Malware or Phish
+description-detailed: |
+  This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d) 
   | where ThreatTypes has "Phish" or ThreatTypes has "Malware"
   | summarize count() by SenderIPv4 //SenderIPv6
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml

@@ -1,14 +1,18 @@
 id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
 name: Top 10 URL domains attacking organization
 description: |
-  This query helps reviewing list of top 10 URL domains attacking organization
+  This query helps reviewing list of top 10 URL domains attacking the organization
+description-detailed: |
+  This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
       - EmailUrlInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where ThreatTypes != "" 
@@ -20,3 +24,4 @@ query: |
   | summarize total=count() by UrlDomain 
   | top 10 by total 
   | render columnchart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml

@@ -2,12 +2,16 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
 name: Top 10% of most attacked users
 description: |
   This query helps reviewing the list of top 10% of most attacked users
+description-detailed: |
+  This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let topTargeted = toscalar( EmailEvents 
   | where DetectionMethods != "" 
@@ -18,3 +22,4 @@ query: |
   | summarize total=count() by RecipientEmailAddress 
   | where total >= topTargeted 
   | order by total desc
+version: 1.0.0 

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml

@@ -2,15 +2,20 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
 name: Top external malicious senders
 description: |
   This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
+description-detailed: |
+  This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d) 
   | where EmailDirection == "Inbound" 
   | summarize count() by SenderFromAddress 
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml

@@ -2,15 +2,20 @@ id: a1664330-810a-473b-b354-acbaa751a294
 name: Top targeted users
 description: |
   This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
+description-detailed: |
+  This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   EmailEvents 
   | where Timestamp > ago(30d) 
   | where ThreatTypes has "Malware" or ThreatTypes has "Phish" 
   | summarize count() by RecipientEmailAddress 
   | sort by count_
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml

@@ -2,12 +2,16 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155
 name: End user malicious clicks
 description: |
   This query helps reviewing list of top users click on Phis URLs
+description-detailed: |
+  This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data.
 requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   UrlClickEvents
   | where ThreatTypes contains "Phish"
@@ -17,3 +21,4 @@ query: |
   | extend ErrorPage = ActionType has_any('UrlErrorPage')
   | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)  by AccountUpn
   | sort by Blocked desc
+version: 1.0.0