Merge pull request #11117 from damozes1/damozes1MDOAH1

Adding many MDO hunting queries to Defender XDR solution
2024-09-18 11:29:38 +05:30 · 2024-09-18 11:29:38 +05:30 · ffb920f459
--- a/Queries/Attachment/ATP
+++ b/Queries/Attachment/ATP
@ -2,12 +2,17 @@ id: 518e6938-10ef-4165-af19-82f1287141bc
 name: ATP policy status check
 description: |
  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
+description-detailed: |
+  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  CloudAppEvents
  | where Application == "Microsoft Exchange Online"
@ -19,3 +24,4 @@ query: |
  | extend packed = pack(Name, Value)
  | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
  | evaluate bag_unpack(PackedInfo)
+version: 1.0.0
--- a/Queries/Attachment/JNLP
+++ b/Queries/Attachment/JNLP
@ -2,12 +2,17 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
 name: JNLP-File-Attachment
 description: |
  JNLP file extensions are an uncommon file type often used to deliver malware.
+description-detailed: |
+  JNLP file extensions are an uncommon file type often used to deliver malware.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailAttachmentInfo
 tactics:
- Initial access
+- InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailAttachmentInfo
  | where FileName endswith ".jnlp"
+version: 1.0.0
--- a/Queries/Attachment/Safe
+++ b/Queries/Attachment/Safe
@ -2,12 +2,17 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05
 name: Safe Attachments detections
 description: |
  This query provides insights on the detections done by Safe Attachment detections
+description-detailed: |
+  This query provides insights on the detections done by Safe Attachment detections.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where DetectionMethods != "" 
@ -15,3 +20,4 @@ query: |
  | where detection has "File detonation reputation" or detection has "File detonation"
  | summarize total=count() by bin(Timestamp, 1d) 
  | order by Timestamp asc
+version: 1.0.0
--- a/Queries/Authentication/Authentication
+++ b/Queries/Authentication/Authentication
@ -2,12 +2,17 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
 name: Authentication failures by time and authentication type
 description: |
  This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
+description-detailed: |
+  This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago (30d)
@ -15,3 +20,4 @@ query: |
  | evaluate bag_unpack(AR)
  | where DMARC == "fail"
  | summarize count() by bin(Timestamp, 1d)
+version: 1.0.0
--- a/Queries/Authentication/Spoof
+++ b/Queries/Authentication/Spoof
@ -1,16 +1,22 @@
 id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
 name: Spoof attempts with auth failure
 description: |
-  this query helps in checking for spoofing attempts on the domain with Authentication failures
+  This query helps in checking for spoofing attempts on the domain with Authentication failures
+description-detailed: |
+  This query helps in checking for spoofing attempts on the domain with Authentication failures.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
  | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
  | evaluate bag_unpack(AR)  
  | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
+version: 1.0.0
--- a/Queries/General/Audit
+++ b/Queries/General/Audit
@ -1,13 +1,18 @@
 id: ba1a91ad-1f99-4386-b191-06a76ef213f8
 name: Audit Email Preview-Download action
 description: |
-  This query helps report on who Previewed/Downloaded email messages using Email entitiy page in MDO
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+description-detailed: |
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
 tactics:
- Privilege escalation
+- PrivilegeEscalation
+relevantTechniques:
+  - T1078
 query: |
  CloudAppEvents
  | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) 
@ -20,4 +25,5 @@ query: |
  | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
  | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName),  DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
  | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
-  | project-away RowNumber
+  | project-away RowNumber
+version: 1.0.0
--- a/Queries/General/Hunt
+++ b/Queries/General/Hunt
@ -1,14 +1,20 @@
 id: bc2d8214-afb6-4876-b210-25b69325b9b2
 name: Hunt for TABL changes
 description: |
-  This query helps hunting for Tenant allow/block list (TABL) changes in MDO
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+description-detailed: |
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
 tactics:
- Defense evasion
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  CloudAppEvents
  | where ActionType contains "TenantAllowBlockListItems"
-  | order by Timestamp desc
+  | order by Timestamp desc
+version: 1.0.0
--- a/Queries/General/Local
+++ b/Queries/General/Local
@ -1,15 +1,20 @@
 id: 712ffdd8-ddce-4372-85dd-063029b418cf
 name: Local time to UTC time conversion
 description: |
-  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
+  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
+description-detailed: |
+  This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
  | where DeliveryAction == "Delivered"
  | where LatestDeliveryLocation == "Quarantine"
+version: 1.0.0
--- a/Queries/General/MDO
+++ b/Queries/General/MDO
@ -1,7 +1,10 @@
 id: deb4b2c6-c10e-4044-8cf4-84243e40db73
 name: MDO daily detection summary report
 description: |
-  This query helps report daily on total # of emails, total # of emails detected as Malware, Phish, Spam, Bulk, total number of user/admin submissions, total # of ZAP events, total # of AIR investigations and their result
+  This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
+description-detailed: |
+  This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
@ -10,7 +13,9 @@ requiredDataConnectors:
  - EmailEvents
  - EmailPostDeliveryEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let QueryTime = 30d;
  let Reports = CloudAppEvents 
@ -57,4 +62,5 @@ query: |
  | join kind=fullouter ThreatByAutomation on Date_value
  | sort by Date_value asc
  | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
-  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
+  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
+version: 1.0.0
--- a/Queries/General/Mail
+++ b/Queries/General/Mail
@ -2,15 +2,20 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
 name: Mail item accessed
 description: |
  This query helps reviewing emails accessed by end users using cloud app events data
+description-detailed: |
+  This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents
  | where Timestamp > ago(30d)
  | extend Record= (parse_json(RawEventData)).RecordType
  | where Record == 50
  | take 10
+version: 1.0.0
--- a/Queries/General/Malicious
+++ b/Queries/General/Malicious
@ -1,13 +1,17 @@
 id: 63c799bc-7567-4e4d-97be-e143fcfaa333
 name: Malicious email senders
 description: |
-  This query helps reviewing emails from sender with atleast one email in quarantine
+  This query helps hunting for emails from a sender with at least one email in quarantine
+description-detailed: |
+  This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let SenderWithQuarantine = EmailEvents
  | where LatestDeliveryLocation == "Quarantine"
@ -15,3 +19,4 @@ query: |
  EmailEvents
  | where LatestDeliveryLocation == "Inbox/folder"
  | where SenderFromAddress in (SenderWithQuarantine)
+version: 1.0.0
--- a/Queries/General/New
+++ b/Queries/General/New
@ -1,15 +1,18 @@
 id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
 name: New TABL Items
 description: |
-  Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
+description-detailed: |
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
 tactics:
- DefenseEvasion
+  - DefenseEvasion
 relevantTechniques:
-  - T1484
+  - T1562
 query: |
  CloudAppEvents
  | where ActionType == "New-TenantAllowBlockListItems"
@ -27,3 +30,4 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountUpn
+version: 1.0.0
--- a/Queries/Hunting/Emails
+++ b/Queries/Hunting/Emails
@ -0,0 +1,18 @@
+id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
+name: Emails containing links to IP addresses
+description: |
+  This query helps hunting for Emails containing links to IP addresses
+description-detailed: |
+  This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailUrlInfo
+  | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
+version: 1.0.0
--- a/Queries/Hunting/Good
+++ b/Queries/Hunting/Good
@ -0,0 +1,30 @@
+id: e6259b03-622e-4e11-9c54-94987dad7c14
+name: Good emails from senders with bad patterns
+description: |
+  This query helps hunting for good emails from senders with bad patterns
+description-detailed: |
+  This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+    //Good emails from senders with bad patterns
+    let PctPhishThreshold = 50;
+    let LookbackWindow = 1d;
+     EmailEvents
+    | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
+    | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
+    | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
+    | project-away SenderMailFromAddress1,AuthenticationDetails1
+    | extend PctPhish = (PhishCount*100 / TotalCount)
+    | where PctPhish < 100 and PctPhish>= PctPhishThreshold
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
+version: 1.0.0
--- a/Queries/Hunting/Hunt
+++ b/Queries/Hunting/Hunt
@ -2,12 +2,16 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
 name: Hunt for email conversation take over attempts
 description: |
  This query helps hunting for email conversation take over attempts
+description-detailed: |
+  This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let emailDelivered = EmailEvents
  | where Timestamp < ago(4hrs)
@ -32,4 +36,5 @@ query: |
  and Pair1 == ""
  | join kind=leftouter (EmailDomains) on SenderFromDomain
  | where SenderFromDomain1 == ""
-  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0
--- a/Queries/Hunting/Hunt
+++ b/Queries/Hunting/Hunt
@ -2,13 +2,18 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167
 name: Hunt for malicious URLs using external IOC source
 description: |
  This query helps hunt for emails with malicious URLs based on external IOC source
+description-detailed: |
+  This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
+  Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailUrlInfo
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let url = (externaldata(url: string )
  [@"https://urlhaus.abuse.ch/downloads/text_online/"]
@ -19,4 +24,5 @@ query: |
  | where Timestamp > ago(2h) 
  ) on $left.url == $right.Url
  |join EmailEvents on NetworkMessageId
-  |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
+  |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
+version: 1.0.0
--- a/Queries/Hunting/Hunt
+++ b/Queries/Hunting/Hunt
@ -2,12 +2,17 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
 name: Hunt for malicious attachments using external IOC source
 description: |
  This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
+description-detailed: |
+  This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
+  Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailAttachmentInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let abuse_sha256 = (externaldata(sha256_hash: string)
  [@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
@ -18,4 +23,5 @@ query: |
  | join (EmailAttachmentInfo
  | where Timestamp > ago(1d)
  ) on $left.sha256_hash == $right.SHA256
-  | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
+  | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
+version: 1.0.0
--- a/Queries/Hunting/Inbox
+++ b/Queries/Hunting/Inbox
@ -2,14 +2,20 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
 name: Inbox rule changes which forward-redirect email
 description: |
  This query helps hunting for Inbox rule changes which forward-redirect email
+description-detailed: |
+  This query helps hunting for Inbox rule changes which forward-redirect email
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
 tactics:
- Persistence
+  - Persistence
+relevantTechniques:
+  - T1098
 query: |
  CloudAppEvents
  | where ActionType contains "Set-InboxRule"
  |extend Parameters = tostring((parse_json(RawEventData)).Parameters)
-  |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
+  |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
+version: 1.0.0
--- a/Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML
+++ b/Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML
@ -2,19 +2,25 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2
 name: MDO_CountOfRecipientsEmailaddressbySubject
 description: |
  Count of recipient's email addresses by subject
+description-detailed: |
+  Count of recipient's email addresses by subject
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Count of recipient's email addresses by subject
-EmailEvents
-//Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
-| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
-| where CountRecipientEmailAddress >= 15
-| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
+  //Count of recipient's email addresses by subject
+  EmailEvents
+  //Change the date for as far back as you want to go
+  | where Timestamp > ago(10d)
+  | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
+  //Change the Count of how many times the email with the same subject has come in
+  | where CountRecipientEmailAddress >= 15
+  | project RecipientEmailAddress, CountRecipientEmailAddress, Subject
 metadata:
    source:
        kind: Community
@ -23,4 +29,5 @@ metadata:
    support:
        tier: Community
    categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0
--- a/Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML
+++ b/Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML
@ -2,19 +2,25 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6
 name: MDO_CountOfSendersEmailaddressbySubject
 description: |
  Count of sender's email addresses by subject
+description-detailed: |
+  Count of sender's email addresses by subject
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Count of sender's email addresses by subject
-EmailEvents
-//Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
-| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
-| where CountSenderFromAddress >= 10
-| project SenderFromAddress, CountSenderFromAddress, Subject
+  //Count of sender's email addresses by subject
+  EmailEvents
+  //Change the date for as far back as you want to go
+  | where Timestamp > ago(10d)
+  | summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
+  //Change the Count of how many times the email with the same subject has come in
+  | where CountSenderFromAddress >= 10
+  | project SenderFromAddress, CountSenderFromAddress, Subject
 metadata:
    source:
        kind: Community
@ -23,4 +29,5 @@ metadata:
    support:
        tier: Community
    categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0
--- a/Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML
+++ b/Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML
@ -1,20 +1,26 @@
 id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4
 name: MDO_Countofrecipientsemailaddressesbysubject
 description: |
-  Count of recipient's email addresses by subject 
+  Count of recipient's email addresses by subject
+description-detailed: |
+  Count of recipient's email addresses by subject  
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566  
 query: |
-//Count of recipient's email addresses by subject
-EmailEvents
-//Change the date for as far back as you want to go
-| where Timestamp > ago(10d)
-| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
-//Change the Count of how many times the email with the same subject has come in
-| where CountRecipientEmailAddress >= 15
-| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
+  //Count of recipient's email addresses by subject
+  EmailEvents
+  //Change the date for as far back as you want to go
+  | where Timestamp > ago(10d)
+  | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
+  //Change the Count of how many times the email with the same subject has come in
+  | where CountRecipientEmailAddress >= 15
+  | project RecipientEmailAddress, CountRecipientEmailAddress, Subject
 metadata:
    source:
        kind: Community
@ -23,4 +29,5 @@ metadata:
    support:
        tier: Community
    categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0
--- a/Queries/Hunting/MDO_SummaryOfSenders.YAML
+++ b/Queries/Hunting/MDO_SummaryOfSenders.YAML
@ -2,20 +2,26 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987
 name: MDO_SummaryOfSenders
 description: |
  Count of all Senders and where they were delivered
+description-detailed: |
+  Count of all Senders and where they were delivered
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
- - EmailEvents
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-//Distinct Count
-EmailEvents
-| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
+  //Distinct Count
+  EmailEvents
+  | summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
    Emails = count_distinct(DeliveryLocation == "Inbox/folder"),
    JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress

-//Count of all Senders and where they were delivered
-EmailEvents
-| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
+  //Count of all Senders and where they were delivered
+  EmailEvents
+  | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
    Emails = count(DeliveryLocation == "Inbox/folder"),
    JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress
 metadata:
@ -26,4 +32,5 @@ metadata:
    support:
        tier: Community
    categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0
--- a/Queries/Hunting/MDO_URLClickedinEmail.YAML
+++ b/Queries/Hunting/MDO_URLClickedinEmail.YAML
@ -2,15 +2,21 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6
 name: MDO_URLClickedinEmail
 description: |
  URLs clicked in Email
+description-detailed: |
+  URLs clicked in Email
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
- - UrlClickEvents
+  - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
-UrlClickEvents
-| where ActionType == "ClickAllowed"
-//| where ActionType <> "ClickAllowed"
-| project AccountUpn, ActionType, Url
+  UrlClickEvents
+  | where ActionType == "ClickAllowed"
+  //| where ActionType <> "ClickAllowed"
+  | project AccountUpn, ActionType, Url
 metadata:
    source:
        kind: Community
@ -19,4 +25,5 @@ metadata:
    support:
        tier: Community
    categories:
-        domains: [ "Security" ]
+        domains: [ "Security" ]
+version: 1.0.0
--- a/Queries/Mailflow/Detections
+++ b/Queries/Mailflow/Detections
@ -2,12 +2,17 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6
 name: Detections by detection methods
 description: |
  This query helps reviewing malicious email detections by detection methods
+description-detailed: |
+  This query helps reviewing malicious email detections by detection methods in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(7d)
@ -38,3 +43,4 @@ query: |
              Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d)
  | project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain,
  Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign
+version: 1.0.0
--- a/Queries/Mailflow/Mail
+++ b/Queries/Mailflow/Mail
@ -2,12 +2,16 @@ id: da7b973a-0045-4fd6-9161-269369336d24
 name: Mail reply to new domain
 description: |
  This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
+description-detailed: |
+  This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let emailDelivered = EmailEvents
  | where Timestamp < ago(4hrs)
@ -33,3 +37,4 @@ query: |
  | join kind=leftouter (EmailDomains) on SenderFromDomain
  | where SenderFromDomain1 == ""
  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0
--- a/Queries/Mailflow/Mailflow
+++ b/Queries/Mailflow/Mailflow
@ -2,15 +2,20 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499
 name: Mailflow by directionality
 description: |
  This query helps reviewing inbound / outbound / intra-org emails by domain per day
+description-detailed: |
+  This query helps reviewing inbound / outbound / intra-org emails by domain per day
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d)
  | extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1) 
  | summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d) 
  | order by Timestamp asc
+version: 1.0.0
--- a/Queries/Mailflow/Malicious
+++ b/Queries/Mailflow/Malicious
@ -2,12 +2,16 @@ id: da932998-81dd-4be4-963c-f4890cb4192e
 name: Malicious emails detected per day
 description: |
  This query helps reviewing Malware, Phishing, Spam emails caught per day
+description-detailed: |
+  This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where DetectionMethods != "" 
@ -22,3 +26,4 @@ query: |
      'Spam') 
  | summarize total=count() by detection, bin(Timestamp, 1d) 
  | order by Timestamp asc
+version: 1.0.0
--- a/Queries/Mailflow/Sender
+++ b/Queries/Mailflow/Sender
@ -2,12 +2,16 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857
 name: Sender recipient contact establishment
 description: |
  This query helps in checking the sender-recipient contact establishment status
+description-detailed: |
+  This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let emailDelivered = EmailEvents
  | where Timestamp < ago(30d)
@ -28,3 +32,4 @@ query: |
  | join kind=leftanti  ( emailDelivered ) on SenderFromAddress
  | order by SenderMailFromAddress
  | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0
--- a/Queries/Mailflow/Top
+++ b/Queries/Mailflow/Top
@ -1,16 +1,21 @@
 id: 12225f50-9d41-4b78-8269-cc127d98654c
 name: Top 100 malicious email senders
 description: |
-  This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days
+  This query helps reviewing top 100 malicious senders
+description-detailed: |
+  This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
  | where ThreatTypes has "Phish" or ThreatTypes has "Malware" 
  | summarize total=count() by SenderMailFromAddress 
  | top 100 by total
+version: 1.0.0
--- a/Queries/Mailflow/Top
+++ b/Queries/Mailflow/Top
@ -2,14 +2,19 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
 name: Top 100 senders
 description: |
  This query helps reviewing top 100 senders in your organization in last 30 days
+description-detailed: |
+  This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d)
  | summarize mailCountBySender = count() by SenderMailFromAddress 
  | top 100 by mailCountBySender
+version: 1.0.0
--- a/Queries/Mailflow/Zero
+++ b/Queries/Mailflow/Zero
@ -2,14 +2,19 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
 name: Zero day threats
 description: |
  This query helps reviewing zero day threats via URL and file detonations
+description-detailed: |
+  This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d) 
  | where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" 
  | count
+version: 1.0.0
--- a/Queries/Malware/Email
+++ b/Queries/Malware/Email
@ -1,7 +1,9 @@
 id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
 name: Email containing malware accessed on a unmanaged device
 description: |
-  In this query, we looking for emails containing malware accessed on a unmanaged device
+  In this query, we are looking for emails containing malware accessed on a unmanaged device
+description-detailed: |
+  In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
@ -9,7 +11,9 @@ requiredDataConnectors:
   - CloudAppEvents
   - AADSignInEventsBeta
 tactics:
- Malware
+  - Execution
+relevantTechniques:
+  - T1204
 query: |
  EmailPostDeliveryEvents
  | where ActionType == "Malware ZAP"
@ -22,4 +26,5 @@ query: |
  ) on InternetMessageId
  | where isnotempty(SessionId)
  | join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
-  | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
+  | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
+version: 1.0.0
--- a/Queries/Malware/Email
+++ b/Queries/Malware/Email
@ -1,15 +1,20 @@
 id: 07c85687-6dee-4266-9345-1e34de85d989
 name: Email containing malware sent by an internal sender
 description: |
-  In this query, we looking for emails containing malware attachment sent by an internal sender
+  In this query, we are looking for emails containing malware attachment sent by an internal sender
+description-detailed: |
+  In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
   - EmailEvents
 tactics:
- Malware
+  - LateralMovement
+relevantTechniques:
+  - T1534
 query: |
  EmailEvents
  | where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
  | where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
-  | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
+  | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
+version: 1.0.0
--- a/Queries/Malware/Email
+++ b/Queries/Malware/Email
@ -2,13 +2,17 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
 name: Email malware detection report
 description: |
  This query helps reviewing email malware detection cases
+description-detailed: |
+  This query helps reviewing email malware detection cases in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - EmailAttachmentInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
@ -19,3 +23,4 @@ query: |
  | extend Case = array_length(ThreatFamily_wih_Attachment)
  | project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment 
  | sort by Case desc
+version: 1.0.0
--- a/Queries/Malware/Malware
+++ b/Queries/Malware/Malware
@ -2,12 +2,16 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda
 name: Malware detections by detection methods
 description: |
  This query helps reviewing malware detections by detection methods
+description-detailed: |
+  This query helps reviewing malware detections by detection methods in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
@ -25,3 +29,4 @@ query: |
          )
  | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
  | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware
+version: 1.0.0
--- a/Queries/Overrides/Admin
+++ b/Queries/Overrides/Admin
@ -2,14 +2,20 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8
 name: Admin overrides
 description: |
  This query helps in reviewing malicious emails allowed due to admin overrides
+description-detailed: |
+  This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  EmailEvents
  | where DeliveryLocation == "Inbox/folder" 
  | where isnotempty(ThreatTypes) and OrgLevelAction == "Allow" 
  | count
+version: 1.0.0
--- a/Queries/Overrides/Top
+++ b/Queries/Overrides/Top
@ -2,13 +2,19 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2
 name: Top policies performing admin overrides
 description: |
  This query helps in reviewing top policies for admin overrides (Allow/Block)
+description-detailed: |
+  This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  EmailEvents  
  | where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow"  //"Block"
  | summarize count() by OrgLevelPolicy
+version: 1.0.0
--- a/Queries/Overrides/Top
+++ b/Queries/Overrides/Top
@ -2,13 +2,19 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
 name: Top policies performing user overrides
 description: |
  This query helps in reviewing top policies for user overrides (Allow/Block)
+description-detailed: |
+  This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  EmailEvents
  | where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
  | summarize count() by UserLevelPolicy
+version: 1.0.0
--- a/Queries/Overrides/User
+++ b/Queries/Overrides/User
@ -2,14 +2,20 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9
 name: User overrides
 description: |
  This query helps in reviewing malicious emails allowed due to user overrides
+description-detailed: |
+  This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
 query: |
  EmailEvents
  | where DeliveryLocation == "Inbox/folder" 
  | where isnotempty(ThreatTypes) and UserLevelAction == "Allow" 
  | count
+version: 1.0.0
--- a/Queries/Phish/Appspot
+++ b/Queries/Phish/Appspot
@ -1,6 +1,8 @@
 id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
 name: Appspot Phishing Abuse
 description: |
+  This query helps surface phishing campaigns associated with Appspot abuse.
+description-detailed: |
  This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
  This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
  Reference - https://twitter.com/MsftSecIntel
@ -10,7 +12,9 @@ requiredDataConnectors:
  - EmailUrlInfo
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailUrlInfo
  // Detect URLs with a subdomain on appspot.com
@ -23,4 +27,5 @@ query: |
  | where Url has RecipientEmailAddress
      // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
      or Url has base64_encode_tostring(RecipientEmailAddress)
-  | project-away Timestamp1, NetworkMessageId1, ReportId1 
+  | project-away Timestamp1, NetworkMessageId1, ReportId1
+version: 1.0.0
--- a/Queries/Phish/PhishDetectionByDetectionMethod.yaml
+++ b/Queries/Phish/PhishDetectionByDetectionMethod.yaml
@ -1,13 +1,17 @@
 id: 9d59be10-54d9-478b-b669-fb4eb8517cd0
 name: Phish detections by detection methods
 description: |
-  This query helps reviewing detections done by some of the most frequent detection technologies in the last 7 days
+  This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days
+description-detailed: |
+  This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(7d)
@ -32,3 +36,4 @@ query: |
          )
  | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
  | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,13 +1,18 @@
 id: 25150085-015a-4673-9b67-bc6ad9475500
 name: Campaign with randomly named attachments
 description: |
-  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients, typically more than 50, can potentially indicate a QR code phishing campaign
+  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
+description-detailed: |
+  In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailAttachmentInfo
  | where Timestamp > ago(7d)
@ -15,4 +20,5 @@ query: |
  | where isnotempty(FileName)
  | extend firstFourFileName = substring(FileName, 0, 4)
  | summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
-  | where FirstFourFilesCount >= 10
+  | where FirstFourFilesCount >= 10
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,12 +2,17 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581
 name: Campaign with suspicious keywords
 description: |
  In this detection, we track emails with suspicious keywords in subjects.
+description-detailed: |
+  In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let PhishingKeywords = ()
  {pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
@ -16,4 +21,5 @@ query: |
  | where EmailDirection == "Inbound"
  | where DeliveryAction == "Delivered"
  | where isempty(SenderObjectId)
-  | where Subject has_any (PhishingKeywords())
+  | where Subject has_any (PhishingKeywords())
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,18 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
 name: Custom detection-Emails with QR from non-prevalent senders
 description: |
  In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
+description-detailed: |
+  In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let QRCode_emails = EmailUrlInfo
  | where Timestamp > ago (2d)
@ -42,4 +47,5 @@ query: |
  | where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
  | join kind=inner senders_NMIDs on NetworkMessageId
  | project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
-  QRCode_emails_from_non_prevalent_senders
+  QRCode_emails_from_non_prevalent_senders
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,18 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e
 name: Emails delivered having URLs from QR codes
 description: |
  In this query, we hunt for inbound emails delivered having URLs from QR codes
+description-detailed: |
+  In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
  | where DeliveryAction == "Delivered"
  | join EmailUrlInfo on NetworkMessageId
  | where UrlLocation == "QRCode"
-  | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
+  | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,18 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697
 name: Emails with QR codes and suspicious keywords in subject
 description: |
  In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
+description-detailed: |
+  In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let SubjectKeywords = ()
  {pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password",  "payment", "urgent", "verify");};
@ -18,4 +23,5 @@ query: |
  | where DeliveryAction == "Delivered"
  | where Subject has_any (SubjectKeywords)
  | join EmailUrlInfo on NetworkMessageId
-  | where UrlLocation == "QRCode"
+  | where UrlLocation == "QRCode"
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,18 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa
 name: Emails with QR codes from non-prevalent sender
 description: |
  In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
+description-detailed: |
+  In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let senderprevalence =
  EmailEvents
@ -27,4 +32,5 @@ query: |
  | join EmailUrlInfo on NetworkMessageId
  | where UrlLocation == "QRCode"
  | distinct SenderFromAddress,Url,NetworkMessageId;
-  QR_from_non_prevalent
+  QR_from_non_prevalent
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,17 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
 name: Hunting for sender patterns
 description: |
  In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
+description-detailed: |
+  In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailAttachmentInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let PhishingSenderDisplayNames = ()
  {
@ -39,4 +43,5 @@ query: |
  | distinct SenderFromDomain);
  suspiciousEmails
  | where SenderFromDomain !in (prevalentSenders)
-  | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
+  | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
+version: 1.0.0 
--- a/signals-clusters.yaml
+++ b/signals-clusters.yaml
@ -1,13 +1,17 @@
 id: 8c852f12-499f-499b-afc1-25c50aa9b462
 name: Hunting for user signals-clusters
 description: |
-  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify th escope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table
+  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
+description-detailed: |
+  In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let suspiciousClusters = EmailEvents
  | where Timestamp > ago(7d)
@ -18,4 +22,5 @@ query: |
  | where Timestamp > ago(7d)
  | where EmailDirection == "Inbound"
  | where EmailClusterId in (suspiciousClusters)
-  | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
+  | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,13 +2,18 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6
 name: Inbound emails with QR code URLs
 description: |
  In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
+description-detailed: |
+  In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
  | join EmailUrlInfo on NetworkMessageId
  | where UrlLocation == "QRCode"
  | summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
-  | render timechart
+  | render timechart
+version: 1.0.0 
--- a/code/Personalized
+++ b/code/Personalized
@ -1,13 +1,17 @@
 id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
 name: Personalized campaigns based on the first few keywords
 description: |
-  In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
+  In this detection, we track emails with personalized subjects. 
+description-detailed: |
+   In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
  | extend words = split(Subject," ")
  | project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
  | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
-  | where SubjectsCount >= 10
+  | where SubjectsCount >= 10
+version: 1.0.0 
--- a/code/Personalized
+++ b/code/Personalized
@ -1,13 +1,17 @@
 id: 54d3455d-27e0-4ceb-99f9-375abd620151
 name: Personalized campaigns based on the last few keywords
 description: |
-  In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
+  In this detection, we track emails with personalized subjects.
+description-detailed: |
+  In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
  | extend words = split(Subject," ")
  | project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
  | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
-  | where SubjectsCount >= 10
+  | where SubjectsCount >= 10
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,13 +1,18 @@
 id: 8d298b5c-feca-4add-bd42-e43e0a317a88
 name: Risky sign-in attempt from a non-managed device
 description: |
+  In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
+description-detailed: |
  In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  AADSignInEventsBeta
  | where Timestamp > ago(7d)
@ -22,4 +27,5 @@ query: |
  | where isnotempty(AccountObjectId)
  | where isempty(DeviceName)
  | where isempty(AadDeviceId)
-  | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
+  | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,14 +1,19 @@
 id: 3131d0ba-32c9-483e-a25c-82e26a07e116
 name: Suspicious sign-in attempts from QR code phishing campaigns
 description: |
+  This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
+description-detailed: |
  This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
  - AADSignInEventsBeta
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let successfulRiskySignIn = materialize(AADSignInEventsBeta
  | where Timestamp > ago(1d)
@ -38,4 +43,5 @@ query: |
  | extend items = folders.FolderItems
  | mv-expand items
  | extend InternetMessageId = tostring(items.InternetMessageId)
-  | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
+  | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
+version: 1.0.0 
--- a/Queries/Quarantine/Group
+++ b/Queries/Quarantine/Group
@ -1,14 +1,18 @@
 id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
 name: Group quarantine release
 description: |
-  This query helps in reviewing group released messages by detection type. Useful to see what is leading to the largest number of messages being released.
+  This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
+description-detailed: |
+  This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents 
  | where ActionType == "QuarantineReleaseMessage"
@ -17,3 +21,4 @@ query: |
  | join EmailEvents on NetworkMessageId
  | summarize count() by DetectionMethods
  | order by count_ desc
+version: 1.0.0 
--- a/Queries/Quarantine/High
+++ b/Queries/Quarantine/High
@ -1,14 +1,18 @@
 id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
 name: High Confidence Phish Released
 description: |
-  This query shows information about high confidence phish email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
+  This query shows information about high confidence phish email that has been released from the Quarantine.
+description-detailed: |
+  This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents 
  | where ActionType == "QuarantineReleaseMessage"
@ -19,4 +23,5 @@ query: |
    | project-rename EmailTime = Timestamp
    ) on NetworkMessageId
  | project-away NetworkMessageId1
-  | order by ReleaseTime asc
+  | order by ReleaseTime asc
+version: 1.0.0 
--- a/Queries/Quarantine/Quarantine
+++ b/Queries/Quarantine/Quarantine
@ -1,14 +1,19 @@
 id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
 name: Quarantine Release Email Details
 description: |
-  This query shows information about email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
+  This query shows information about email that has been released from the Quarantine in Defender for Office 365.
+description-detailed: |
+  This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents 
  | where ActionType == "QuarantineReleaseMessage"
@ -18,4 +23,5 @@ query: |
    | project-rename EmailTime = Timestamp
    ) on NetworkMessageId
  | project-away NetworkMessageId1
-  | order by ReleaseTime asc 
+  | order by ReleaseTime asc
+version: 1.0.0  
--- a/Queries/Quarantine/Quarantine
+++ b/Queries/Quarantine/Quarantine
@ -1,16 +1,22 @@
 id: 9f135aef-ad25-4df2-bdab-8399978a36a2
 name: Quarantine release trend
 description: |
-  This query helps reviewing quarantine release trend
+  This query helps reviewing quarantine release trend in Defender for Office 365
+description-detailed: |
+  This query helps reviewing quarantine release trend in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents
  | where ActionType == "QuarantineReleaseMessage"
  | summarize count() by bin(Timestamp, 1d)
  | project-rename Releases = count_
  | render timechart with (title="Qurantine Releases by Day")
+version: 1.0.0
--- a/Queries/Remediation/Email
+++ b/Queries/Remediation/Email
@ -1,6 +1,9 @@
 id: 99713387-9d61-49eb-8edc-f51153d8bb01
 name: Listing Email Remediation Actions via Explorer
 description: |
+  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
+description-detailed: |
+  Listing Email Remediation Actions performed via Explorer in Defender for Office 365
  - Track each cases with Network Message ID
  - Sort the users who got a number of actions 
  - e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items 
@ -8,7 +11,10 @@ requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
-tactics: []
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  | where Timestamp > ago(30d)
@ -23,4 +29,5 @@ query: |
  | extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
  | extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
  | project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
-  | order by Sum_case desc 
+  | order by Sum_case desc
+version: 1.0.0
--- a/Impersonation/Display
+++ b/Impersonation/Display
@ -2,19 +2,23 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
 name: Display Name - Spoof and Impersonation
 description: |
  This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
+description-detailed: |
+  This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let emailDelivered = EmailEvents
  | where Timestamp < ago(24hrs)
  and DeliveryAction == "Delivered"
  and SenderDisplayName contains "Microsoft"
  | summarize count() by SenderFromAddress
-  | where count_ > 3 // ensuring that some level of communications has occured.
+  | where count_ > 3 // ensuring that some level of communications has occurred.
  | project SenderFromAddress;
  EmailEvents
  | where Timestamp > ago(24hrs)
@ -27,4 +31,5 @@ query: |
  | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
  | join kind=leftanti  ( emailDelivered ) on SenderFromAddress
  | order by SenderMailFromAddress
-  | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+  | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
+version: 1.0.0 
--- a/Impersonation/Referral
+++ b/Impersonation/Referral
@ -1,6 +1,8 @@
 id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
 name: referral-phish-emails
 description: |
+  Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
+description-detailed: |
  The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
@ -8,7 +10,9 @@ requiredDataConnectors:
  - EmailEvents
  - EmailUrlInfo
 tactics:
- Credential Access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let EmailAddresses = pack_array
  ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
@ -20,3 +24,4 @@ query: |
  | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
  | where SenderFromDomain == RecipientDomain
  | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
+version: 1.0.0
--- a/Impersonation/Spoof
+++ b/Impersonation/Spoof
@ -2,14 +2,20 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e
 name: Spoof and impersonation detections by sender IP
 description: |
  This query helps reviewing count of spoof and impersonation detections done per sender IP
+description-detailed: |
+  This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")  
  | project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4 
  | summarize count() by SenderIPv4
+version: 1.0.0
--- a/Impersonation/Spoof
+++ b/Impersonation/Spoof
@ -2,15 +2,21 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
 name: Spoof and impersonation phish detections
 description: |
  This query helps reviewing count of phish detections done by spoof detection methods
+description-detailed: |
+  This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
+  Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents
  |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
  | project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
  | evaluate bag_unpack(DT)
  | summarize count() by tostring(Phish)
+version: 1.0.0
--- a/impersonation.yaml
+++ b/impersonation.yaml
@ -2,13 +2,17 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
 name: User not covered under display name impersonation
 description: |
  This query helps to find threats using display name impersonation for users not already protected with User Impersonation
+description-detailed: |
+  This query helps to find threats using display name impersonation for users not already protected with User Impersonation
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - IdentityInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let display_names = 
  IdentityInfo 
@ -21,3 +25,4 @@ query: |
    | lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName 
    | where SenderDisplayName != "" 
    | summarize by SenderDisplayName
+version: 1.0.0 
--- a/Queries/Submissions/Admin
+++ b/Queries/Submissions/Admin
@ -2,12 +2,16 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
 name: Admin reported submissions
 description: |
  This query helps reviewing admin reported email submissions
+description-detailed: |
+  This query helps reviewing admin reported email submissions in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents 
  | where Timestamp > ago(30d) 
@ -15,3 +19,4 @@ query: |
  | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
  | where Record == 29 
  | where ActionType == "AdminSubmission"
+version: 1.0.0 
--- a/Queries/Submissions/Status
+++ b/Queries/Submissions/Status
@ -2,12 +2,16 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f
 name: Status of submissions
 description: |
  This query helps reviewing status of submissions
+description-detailed: |
+  This query helps reviewing status of submissions in Defender for Office 365.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents
  | where Timestamp > ago(30d) 
@ -18,3 +22,4 @@ query: |
  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" 
  | summarize count() by tostring(SubmissionState) 
  | sort by count_
+version: 1.0.0
--- a/Queries/Submissions/Top
+++ b/Queries/Submissions/Top
@ -2,12 +2,16 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc
 name: Top submitters of admin submissions
 description: |
  This query helps reviewing top submitters of admin submissions
+description-detailed: |
+  This query helps reviewing top submitters of admin submissions in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents
  | where Timestamp > ago(30d) 
@ -18,3 +22,4 @@ query: |
  | where ActionType == "AdminSubmission" 
  | summarize count() by tostring(UserKey) 
  | sort by count_
+version: 1.0.0
--- a/Queries/Submissions/Top
+++ b/Queries/Submissions/Top
@ -2,12 +2,16 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f
 name: Top submitters of user submissions
 description: |
  This query helps reviewing top submitters of user submissions
+description-detailed: |
+  This query helps reviewing top submitters of user submissions in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents
  | where Timestamp > ago(30d) 
@ -18,3 +22,4 @@ query: |
  | where ActionType == "UserSubmission" 
  | summarize count() by tostring(UserKey) 
  | sort by count_
+version: 1.0.0
--- a/Queries/Submissions/User
+++ b/Queries/Submissions/User
@ -2,12 +2,16 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50
 name: User reported submissions
 description: |
  This query helps reviewing user reported email submissions
+description-detailed: |
+  This query helps reviewing user reported email submissions in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  CloudAppEvents 
  | where Timestamp > ago(30d) 
@ -15,3 +19,4 @@ query: |
  | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
  | where Record == 29 
  | where ActionType == "UserSubmission"
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,13 +1,17 @@
 id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
 name: Attacked more than x times average
 description: |
-  This query helps reviewing count of users attacked more than x times average. Update the value of x in the query to get desired results.
+  This query helps reviewing count of users attacked more than x times average.
+description-detailed: |
+  This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let AverageThreatPerRecipient = toscalar(EmailEvents 
  | where DetectionMethods != "" 
@ -17,3 +21,4 @@ query: |
  | where DetectionMethods != "" 
  | summarize total=count() by RecipientEmailAddress 
  | where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
+version: 1.0.0
--- a/Attacks/Malicious
+++ b/Attacks/Malicious
@ -2,15 +2,20 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
 name: Malicious mails by sender IPs
 description: |
  This query helps reviewing sender IPs sending malicious email of type Malware or Phish
+description-detailed: |
+  This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d) 
  | where ThreatTypes has "Phish" or ThreatTypes has "Malware"
  | summarize count() by SenderIPv4 //SenderIPv6
  | sort by count_
+version: 1.0.0
--- a/organization.yaml
+++ b/organization.yaml
@ -1,14 +1,18 @@
 id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
 name: Top 10 URL domains attacking organization
 description: |
-  This query helps reviewing list of top 10 URL domains attacking organization
+  This query helps reviewing list of top 10 URL domains attacking the organization
+description-detailed: |
+  This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - EmailUrlInfo
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where ThreatTypes != "" 
@ -20,3 +24,4 @@ query: |
  | summarize total=count() by UrlDomain 
  | top 10 by total 
  | render columnchart
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,12 +2,16 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
 name: Top 10% of most attacked users
 description: |
  This query helps reviewing the list of top 10% of most attacked users
+description-detailed: |
+  This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let topTargeted = toscalar( EmailEvents 
  | where DetectionMethods != "" 
@ -18,3 +22,4 @@ query: |
  | summarize total=count() by RecipientEmailAddress 
  | where total >= topTargeted 
  | order by total desc
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,15 +2,20 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
 name: Top external malicious senders
 description: |
  This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
+description-detailed: |
+  This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d) 
  | where EmailDirection == "Inbound" 
  | summarize count() by SenderFromAddress 
  | sort by count_
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,15 +2,20 @@ id: a1664330-810a-473b-b354-acbaa751a294
 name: Top targeted users
 description: |
  This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
+description-detailed: |
+  This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where Timestamp > ago(30d) 
  | where ThreatTypes has "Malware" or ThreatTypes has "Phish" 
  | summarize count() by RecipientEmailAddress 
  | sort by count_
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,12 +2,16 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155
 name: End user malicious clicks
 description: |
  This query helps reviewing list of top users click on Phis URLs
+description-detailed: |
+  This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  UrlClickEvents
  | where ThreatTypes contains "Phish"
@ -17,3 +21,4 @@ query: |
  | extend ErrorPage = ActionType has_any('UrlErrorPage')
  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)  by AccountUpn
  | sort by Blocked desc
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -2,12 +2,16 @@ id: 3f007cdc-86bf-4657-9015-05101a3e54f5
 name: URL click count by click action
 description: |
  This query helps reviewing URL click count by ClickAction
+description-detailed: |
+  This query helps reviewing URL click count by ClickAction using Defender for Office 365 data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  UrlClickEvents 
  | extend UrlBlocked = ActionType has_any("ClickBlocked") 
@ -15,3 +19,4 @@ query: |
  | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') 
  | extend ErrorPage = ActionType has_any('UrlErrorPage') 
  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,7 +1,10 @@
 id: efe27064-6d35-4720-b7f5-e0326695613d
 name: URL click on ZAP email
 description: |
-  In this query, we looking for Url clicks on emails wich get actioned by Zerohour auto purge
+  In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
+description-detailed: |
+  In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge (ZAP) in Defender for Office 365.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
@ -9,9 +12,12 @@ requiredDataConnectors:
   - Alertinfo
   - AlertEvidence
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  AlertInfo
  | where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d)
  | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId 
-  | join UrlClickEvents on NetworkMessageId
+  | join UrlClickEvents on NetworkMessageId
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,17 +1,22 @@
 id: bc46e331-3cb0-483d-9c90-989d2a59457f
 name: URL clicks actions by URL
 description: |
-  In this query, we looking URL click actions by URL in th elast 7 days
+  In this query, we are looking URL click actions by URL in the last 7 days
+description-detailed: |
+  In this query, we are looking URL click actions by URL in the last 7 days using Defender for Office 365 data.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
   - UrlClickEvents
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  UrlClickEvents
  | extend UrlBlocked = ActionType has_any("ClickBlocked")
  | extend UrlAllowed = ActionType has_any('ClickAllowed')
  | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
  | extend ErrorPage = ActionType has_any('UrlErrorPage')
-  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
+  | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,7 +1,9 @@
 id: 03e61096-20d0-46eb-b8e0-a507dd00a19f
 name: URLClick details based on malicious URL click alert
 description: |
-  In this query, we looking for Url clicks on emails wich are generated the alert-A potentially malicious URL click was detected
+  In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected
+description-detailed: |
+  In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected in Defender for Office 365.
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
@ -9,9 +11,12 @@ requiredDataConnectors:
   - Alertinfo
   - AlertEvidence
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  AlertInfo
  | where Title contains "Potentially malicious" and Timestamp > ago (30d)
  | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId 
-  | join UrlClickEvents on NetworkMessageId
+  | join UrlClickEvents on NetworkMessageId
+version: 1.0.0 
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,15 +1,20 @@
 id: f075d4c4-cf76-4e5d-9c2d-9ed524286316
 name: User clicked through events
 description: |
-  This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page
+  This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
+description-detailed: |
+  This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page in Defender for Office 365.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  UrlClickEvents 
  | where ActionType == "ClickAllowed" or IsClickedThrough !="0" 
  | where ThreatTypes has "Phish" 
  | summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,14 +1,18 @@
 id: 891f4865-75e5-4d40-bc24-ebf97da3ca9a
 name: User clicks on malicious inbound emails
 description: |
-  This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days.
+  This query provides insights on users who clicked on a suspicious URL
+description-detailed: |
+  This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days using Defender for Office 365 Data.
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  let UrlClicked = (UrlClickEvents
  | where ActionType == "ClickAllowed" or IsClickedThrough !="0"
@ -21,3 +25,4 @@ query: |
  | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
  | join kind = inner UrlClicked on NetworkMessageId
  | project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy
+version: 1.0.0
--- a/Queries/Microsoft
+++ b/Queries/Microsoft
@ -1,6 +1,8 @@
 id: d823da0e-1334-4a66-8ff4-2c2c40d26295
 name: User clicks on phishing URLs in emails
 description: |
+  This query helps in determining clickthroughs when email delivered because of detection overrides.
+description-detailed: |
  This query helps in determining clickthroughs, potential deliveries through User/Tenant overrides and detection details for malicious clicks on URLs in emails
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
@ -8,9 +10,12 @@ requiredDataConnectors:
      - EmailEvents
      - UrlClickEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  UrlClickEvents 
  | where ThreatTypes has "Phish" 
  | join EmailEvents on NetworkMessageId,  $left.AccountUpn == $right.RecipientEmailAddress 
  | project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction
+version: 1.0.0
--- a/Queries/URL/Phishing
+++ b/Queries/URL/Phishing
@ -1,18 +1,23 @@
 id: 08aff8c6-b983-43a3-be95-68a10c3d35e6
 name: PhishingEmailUrlRedirector (1)
 description: |
+  The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
+description-detailed: |
+  The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
  This query was originally published on Twitter, by @MsftSecIntel.
-  The query helps detect emails associated with the open redirector URL campaign. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
-  Reference - https://twitter.com/MsftSecIntel
+  Reference - https://twitter.com/MsftSecIntel 
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailUrlInfo
 tactics:
- Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailUrlInfo
  //This regex identifies emails containing the "T-Dot" redirector pattern in the URL
  | where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" 
      //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
      and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)"
+version: 1.0.0
--- a/Queries/URL/SafeLinks
+++ b/Queries/URL/SafeLinks
@ -1,13 +1,18 @@
 id: 492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9
 name: SafeLinks URL detections
 description: |
-  This query provides insights on the detections done by SafeLinks protection
+  This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
+description-detailed: |
+  This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-links-about
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailEvents 
  | where DetectionMethods != "" 
@ -15,3 +20,4 @@ query: |
  | where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]' 
  | summarize total=count() by bin(Timestamp, 1d) 
  | order by Timestamp asc
+version: 1.0.0
--- a/Queries/ZAP/Total
+++ b/Queries/ZAP/Total
@ -2,14 +2,19 @@ id: c10b22a0-6021-46f9-bdaf-05bf2350a554
 name: Total ZAP count
 description: |
  This query helps reviewing count of total ZAP events
+description-detailed: |
+  This query helps reviewing count of total ZAP events in Defender for Office 365
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailPostDeliveryEvents
 tactics:
-  - Initial access
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
  EmailPostDeliveryEvents 
  | where Timestamp > ago(30d) 
  | where ActionType == "Phish ZAP" or ActionType == "Malware ZAP" 
  | count
+version: 1.0.0
--- a/Queries/Attachment/ATP
+++ b/Queries/Attachment/ATP
@ -0,0 +1,27 @@
+id: 518e6938-10ef-4165-af19-82f1287141bc
+name: ATP policy status check
+description: |
+  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
+description-detailed: |
+  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+query: |
+  CloudAppEvents
+  | where Application == "Microsoft Exchange Online"
+  | where ActionType == "Set-AtpPolicyForO365"
+  | mv-expand ActivityObjects
+  | extend Name = tostring(ActivityObjects.Name)
+  | extend Value = tostring(ActivityObjects.Value)
+  | where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen")
+  | extend packed = pack(Name, Value)
+  | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
+  | evaluate bag_unpack(PackedInfo)
+version: 1.0.0
--- a/Queries/Attachment/JNLP
+++ b/Queries/Attachment/JNLP
@ -0,0 +1,18 @@
+id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
+name: JNLP-File-Attachment
+description: |
+  JNLP file extensions are an uncommon file type often used to deliver malware.
+description-detailed: |
+  JNLP file extensions are an uncommon file type often used to deliver malware.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailAttachmentInfo
+tactics:
+- InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailAttachmentInfo
+  | where FileName endswith ".jnlp"
+version: 1.0.0
--- a/Queries/Attachment/Safe
+++ b/Queries/Attachment/Safe
@ -0,0 +1,23 @@
+id: 16eda414-1550-4cdc-8512-0769901d3f05
+name: Safe Attachments detections
+description: |
+  This query provides insights on the detections done by Safe Attachment detections
+description-detailed: |
+  This query provides insights on the detections done by Safe Attachment detections.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where DetectionMethods != "" 
+  | extend detection= tostring(parse_json(DetectionMethods).Phish) 
+  | where detection has "File detonation reputation" or detection has "File detonation"
+  | summarize total=count() by bin(Timestamp, 1d) 
+  | order by Timestamp asc
+version: 1.0.0
--- a/Queries/Authentication/Authentication
+++ b/Queries/Authentication/Authentication
@ -0,0 +1,23 @@
+id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
+name: Authentication failures by time and authentication type
+description: |
+  This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
+description-detailed: |
+  This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where Timestamp > ago (30d)
+  | project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods
+  | evaluate bag_unpack(AR)
+  | where DMARC == "fail"
+  | summarize count() by bin(Timestamp, 1d)
+version: 1.0.0
--- a/Queries/Authentication/Spoof
+++ b/Queries/Authentication/Spoof
@ -0,0 +1,22 @@
+id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
+name: Spoof attempts with auth failure
+description: |
+  This query helps in checking for spoofing attempts on the domain with Authentication failures
+description-detailed: |
+  This query helps in checking for spoofing attempts on the domain with Authentication failures.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents 
+  | where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
+  | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
+  | evaluate bag_unpack(AR)  
+  | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
+version: 1.0.0
--- a/Queries/General/Audit
+++ b/Queries/General/Audit
@ -0,0 +1,29 @@
+id: ba1a91ad-1f99-4386-b191-06a76ef213f8
+name: Audit Email Preview-Download action
+description: |
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+description-detailed: |
+  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+- PrivilegeEscalation
+relevantTechniques:
+  - T1078
+query: |
+  CloudAppEvents
+  | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) 
+  | evaluate bag_unpack(AR)
+  | where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl"
+  | serialize 
+  | extend RowNumber = row_number()
+  | mv-expand ExtendedProperties
+  | evaluate bag_unpack(ExtendedProperties, 'xp_')
+  | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
+  | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName),  DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
+  | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
+  | project-away RowNumber
+version: 1.0.0
--- a/Queries/General/Hunt
+++ b/Queries/General/Hunt
@ -0,0 +1,20 @@
+id: bc2d8214-afb6-4876-b210-25b69325b9b2
+name: Hunt for TABL changes
+description: |
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+description-detailed: |
+  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+query: |
+  CloudAppEvents
+  | where ActionType contains "TenantAllowBlockListItems"
+  | order by Timestamp desc
+version: 1.0.0
--- a/Queries/General/Local
+++ b/Queries/General/Local
@ -0,0 +1,20 @@
+id: 712ffdd8-ddce-4372-85dd-063029b418cf
+name: Local time to UTC time conversion
+description: |
+  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
+description-detailed: |
+  This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
+  | where DeliveryAction == "Delivered"
+  | where LatestDeliveryLocation == "Quarantine"
+version: 1.0.0
--- a/Queries/General/MDO
+++ b/Queries/General/MDO
@ -0,0 +1,66 @@
+id: deb4b2c6-c10e-4044-8cf4-84243e40db73
+name: MDO daily detection summary report
+description: |
+  This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
+description-detailed: |
+  This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+  - AlertEvidence
+  - EmailEvents
+  - EmailPostDeliveryEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let QueryTime = 30d;
+  let Reports = CloudAppEvents 
+  | where Timestamp > ago(QueryTime)
+  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
+  | extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate)
+  | extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId)
+  | extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd"))
+  | distinct Date_value,NetworkMessageID
+  | summarize count() by Date_value
+  | project Date_value, MessagesGotReported=count_;
+  let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish")
+  | extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict)
+  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
+  | extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation))
+  | summarize PostDeliveryTotalAIRInvestigations = count(),
+           PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"),
+           PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"),
+           PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious")
+           by Date_value          //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks
+  | project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious;
+  let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime)
+  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
+  | project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress);
+  let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID
+  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received
+  | summarize PostDeliveryZAP=count() by Date_value);
+  let DeliveryByThreat = (DeliveryInboundEvents
+  | where Timestamp > ago(QueryTime)
+  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
+  | extend MDO_detection = parse_json(DetectionMethods)
+  | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
+  | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)"))
+  | summarize TotalEmails = count(),
+           Clean = countif(FirstSubcategory contains "Clean"),
+           Malware = countif(FirstSubcategory contains "Malware"),
+           Phish = countif(FirstSubcategory contains "Phish"),
+           Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"),
+           Bulk = countif(FirstSubcategory contains "Bulk")                  
+           by Date_value;
+  DeliveryByThreat
+  | join kind=fullouter Reports on Date_value
+  | join kind=fullouter PostDeliveryEvents on Date_value
+  | join kind=fullouter ThreatByAutomation on Date_value
+  | sort by Date_value asc
+  | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
+  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
+version: 1.0.0
--- a/Queries/General/Mail
+++ b/Queries/General/Mail
@ -0,0 +1,21 @@
+id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
+name: Mail item accessed
+description: |
+  This query helps reviewing emails accessed by end users using cloud app events data
+description-detailed: |
+  This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where Timestamp > ago(30d)
+  | extend Record= (parse_json(RawEventData)).RecordType
+  | where Record == 50
+  | take 10
+version: 1.0.0
--- a/Queries/General/Malicious
+++ b/Queries/General/Malicious
@ -0,0 +1,22 @@
+id: 63c799bc-7567-4e4d-97be-e143fcfaa333
+name: Malicious email senders
+description: |
+  This query helps hunting for emails from a sender with at least one email in quarantine
+description-detailed: |
+  This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let SenderWithQuarantine = EmailEvents
+  | where LatestDeliveryLocation == "Quarantine"
+  | project SenderFromAddress;
+  EmailEvents
+  | where LatestDeliveryLocation == "Inbox/folder"
+  | where SenderFromAddress in (SenderWithQuarantine)
+version: 1.0.0
--- a/Queries/General/New
+++ b/Queries/General/New
@ -0,0 +1,33 @@
+id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
+name: New TABL Items
+description: |
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
+description-detailed: |
+  This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
+  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+query: |
+  CloudAppEvents
+  | where ActionType == "New-TenantAllowBlockListItems"
+  | extend Parameters = RawEventData.Parameters
+  | mv-apply Parameters on ( 
+    extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value)
+    | summarize Parameters=make_bag(Out)
+    )
+  | extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes
+  | extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy))
+  | project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId
+  | order by Timestamp desc
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountUpn
+version: 1.0.0
--- a/Queries/Hunting/Emails
+++ b/Queries/Hunting/Emails
@ -0,0 +1,18 @@
+id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
+name: Emails containing links to IP addresses
+description: |
+  This query helps hunting for Emails containing links to IP addresses
+description-detailed: |
+  This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailUrlInfo
+  | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
+version: 1.0.0
--- a/Queries/Hunting/Good
+++ b/Queries/Hunting/Good
@ -0,0 +1,30 @@
+id: e6259b03-622e-4e11-9c54-94987dad7c14
+name: Good emails from senders with bad patterns
+description: |
+  This query helps hunting for good emails from senders with bad patterns
+description-detailed: |
+  This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+    //Good emails from senders with bad patterns
+    let PctPhishThreshold = 50;
+    let LookbackWindow = 1d;
+     EmailEvents
+    | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
+    | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
+    | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
+    | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
+    | project-away SenderMailFromAddress1,AuthenticationDetails1
+    | extend PctPhish = (PhishCount*100 / TotalCount)
+    | where PctPhish < 100 and PctPhish>= PctPhishThreshold
+    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
+version: 1.0.0
--- a/Показать больше
+++ b/Показать больше