Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Attempt to Clear Kernel Ring Buffer
Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events
to evade detection after installing a Linux kernel module (LKM). This activity is commonly observed by intrusions that
leverage kernel-level rootkits to maintain persistence on a compromised host.
Attempt to Install or Run Kali Linux via WSL
Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for
Linux to avoid detection.
Attempt to Unload Elastic Endpoint Security Kernel Extension
Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.
Attempted Bypass of Okta MFA
Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA
policies configured for an organization in order to obtain unauthorized access to an application.
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
Show query
any where CommandLine:"*UWhRCA*" and CommandLine:"*BAAAA*"
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
Show query
from * metadata _id, _index, _version | where CommandLine like "*UWhRCA*" and CommandLine like "*BAAAA*"
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
Show query
CommandLine:*UWhRCA* AND CommandLine:*BAAAA*
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Show query
any where riskEventType:"unlikelyTravel"
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Show query
from * metadata _id, _index, _version | where riskEventType=="unlikelyTravel"
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Show query
riskEventType:unlikelyTravel
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
any where (Image:"*\\auditpol.exe" or OriginalFileName:"AUDITPOL.EXE") and (CommandLine like~ ("*disable*", "*clear*", "*remove*", "*restore*"))Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\auditpol.exe") or OriginalFileName=="AUDITPOL.EXE") and (CommandLine like "*disable*" or CommandLine like "*clear*" or CommandLine like "*remove*" or CommandLine like "*restore*")
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
(Image:*\\auditpol.exe OR OriginalFileName:AUDITPOL.EXE) AND (CommandLine:(*disable* OR *clear* OR *remove* OR *restore*))
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
any where CommandLine like~ ("*/logon:none*", "*/system:none*", "*/sam:none*", "*/privilege:none*", "*/object:none*", "*/process:none*", "*/policy:none*")Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
from * metadata _id, _index, _version | where CommandLine like "*/logon:none*" or CommandLine like "*/system:none*" or CommandLine like "*/sam:none*" or CommandLine like "*/privilege:none*" or CommandLine like "*/object:none*" or CommandLine like "*/process:none*" or CommandLine like "*/policy:none*"
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Show query
CommandLine:(*\/logon\:none* OR *\/system\:none* OR *\/sam\:none* OR *\/privilege\:none* OR *\/object\:none* OR *\/process\:none* OR *\/policy\:none*)
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Show query
any where Image:"*/auditctl" and CommandLine regex~ "-D"
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/auditctl") and CommandLine rlike "-D"
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Show query
Image:*\/auditctl AND CommandLine:/-D/
Auditd Login from Forbidden Location
Identifies that a login attempt has happened from a forbidden location.
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Show query
any where type:"PATH" and (name like~ ("/etc/audit/*", "/etc/libaudit.conf", "/etc/audisp/*"))Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Show query
from * metadata _id, _index, _version | where type=="PATH" and (starts_with(name, "/etc/audit/") or name=="/etc/libaudit.conf" or starts_with(name, "/etc/audisp/"))
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Show query
type:PATH AND (name:(\/etc\/audit\/* OR \/etc\/libaudit.conf OR \/etc\/audisp\/*))
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
any where Image:"*/curl" and TargetFilename:"/tmp/ld.py"
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/curl") and TargetFilename=="/tmp/ld.py"
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
Image:*\/curl AND TargetFilename:\/tmp\/ld.py
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
any where (Image:"*/curl" and TargetFilename:"/Library/Caches/com.apple.act.mond") or (Image:"*/node" and TargetFilename:"/tmp/6202033")
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/curl") and TargetFilename=="/Library/Caches/com.apple.act.mond" or ends_with(Image, "/node") and TargetFilename=="/tmp/6202033"
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
Show query
(Image:*\/curl AND TargetFilename:\/Library\/Caches\/com.apple.act.mond) OR (Image:*\/node AND TargetFilename:\/tmp\/6202033)
Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
any where (Image like~ ("*\\node.exe", "*\\powershell.exe")) and ((TargetFilename like~ ("C:\\ProgramData\\wt.exe", "C:\\ProgramData\\system.bat")) or (TargetFilename:"*C:\\Users\\*" and TargetFilename:"*\\AppData\\Local\\Temp\\6202033.vbs*") or (TargetFilename:"*C:\\Users\\*" and TargetFilename:"*\\AppData\\Local\\Temp\\6202033.ps1*"))Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\node.exe") or ends_with(Image, "\\powershell.exe")) and (TargetFilename in ("C:\\ProgramData\\wt.exe", "C:\\ProgramData\\system.bat") or TargetFilename like "*C:\\Users\\*" and TargetFilename like "*\\AppData\\Local\\Temp\\6202033.vbs*" or TargetFilename like "*C:\\Users\\*" and TargetFilename like "*\\AppData\\Local\\Temp\\6202033.ps1*")Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
(Image:(*\\node.exe OR *\\powershell.exe)) AND ((TargetFilename:(C\:\\ProgramData\\wt.exe OR C\:\\ProgramData\\system.bat)) OR (TargetFilename:*C\:\\Users\\* AND TargetFilename:*\\AppData\\Local\\Temp\\6202033.vbs*) OR (TargetFilename:*C\:\\Users\\* AND TargetFilename:*\\AppData\\Local\\Temp\\6202033.ps1*))
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
Show query
any where ((ParentImage like~ ("*/node", "*/bun")) and (CommandLine:"*curl *" and CommandLine:"*/tmp/ld.py*" and CommandLine:"*python3 *" and CommandLine:"*nohup *" and CommandLine:"*6202033*")) or (Image:"*/curl" and CommandLine:"*http://sfrclak.com*")Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
Show query
from * metadata _id, _index, _version | where (ends_with(ParentImage, "/node") or ends_with(ParentImage, "/bun")) and CommandLine like "*curl *" and CommandLine like "*/tmp/ld.py*" and CommandLine like "*python3 *" and CommandLine like "*nohup *" and CommandLine like "*6202033*" or ends_with(Image, "/curl") and CommandLine like "*http://sfrclak.com*"
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
Show query
((ParentImage:(*\/node OR *\/bun)) AND (CommandLine:*curl\ * AND CommandLine:*\/tmp\/ld.py* AND CommandLine:*python3\ * AND CommandLine:*nohup\ * AND CommandLine:*6202033*)) OR (Image:*\/curl AND CommandLine:*http\:\/\/sfrclak.com*)
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
any where ((ParentImage like~ ("*\\node.exe", "*\\bun.exe")) and Image:"*\\cmd.exe" and (CommandLine:"*cscript*" and CommandLine:"*AppData\\Local\\Temp*" and CommandLine:"*//nologo && del*" and CommandLine:"*6202033.vbs*")) or ((Image like~ ("*\\curl.exe", "*\\powershell.exe")) and CommandLine:"*http://sfrclak.com*") or (OriginalFileName:"PowerShell.EXE" and CommandLine:"*\"C:\\ProgramData\\wt.exe\" -w hidden -ep bypass -file*")Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
from * metadata _id, _index, _version | where (ends_with(ParentImage, "\\node.exe") or ends_with(ParentImage, "\\bun.exe")) and ends_with(Image, "\\cmd.exe") and CommandLine like "*cscript*" and CommandLine like "*AppData\\Local\\Temp*" and CommandLine like "*//nologo && del*" and CommandLine like "*6202033.vbs*" or (ends_with(Image, "\\curl.exe") or ends_with(Image, "\\powershell.exe")) and CommandLine like "*http://sfrclak.com*" or OriginalFileName=="PowerShell.EXE" and CommandLine like "*\"C:\\ProgramData\\wt.exe\" -w hidden -ep bypass -file*"
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Show query
((ParentImage:(*\\node.exe OR *\\bun.exe)) AND Image:*\\cmd.exe AND (CommandLine:*cscript* AND CommandLine:*AppData\\Local\\Temp* AND CommandLine:*\/\/nologo\ \&\&\ del* AND CommandLine:*6202033.vbs*)) OR ((Image:(*\\curl.exe OR *\\powershell.exe)) AND CommandLine:*http\:\/\/sfrclak.com*) OR (OriginalFileName:PowerShell.EXE AND CommandLine:*\"C\:\\ProgramData\\wt.exe\"\ \-w\ hidden\ \-ep\ bypass\ \-file*)
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Show query
any where (CommandLine:"*nohup *" and CommandLine:"*osascript *" and CommandLine:"*/tmp/6202033*") or (CommandLine:"*curl *" and CommandLine:"*packages.npm.org/product*" and CommandLine:"*/Library/Caches/com.apple.act.mond*") or (CommandLine:"*rm *" and CommandLine:"*-rf *" and CommandLine:"*/tmp/6202033*")
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Show query
from * metadata _id, _index, _version | where CommandLine like "*nohup *" and CommandLine like "*osascript *" and CommandLine like "*/tmp/6202033*" or CommandLine like "*curl *" and CommandLine like "*packages.npm.org/product*" and CommandLine like "*/Library/Caches/com.apple.act.mond*" or CommandLine like "*rm *" and CommandLine like "*-rf *" and CommandLine like "*/tmp/6202033*"
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Show query
(CommandLine:*nohup\ * AND CommandLine:*osascript\ * AND CommandLine:*\/tmp\/6202033*) OR (CommandLine:*curl\ * AND CommandLine:*packages.npm.org\/product* AND CommandLine:*\/Library\/Caches\/com.apple.act.mond*) OR (CommandLine:*rm\ * AND CommandLine:*\-rf\ * AND CommandLine:*\/tmp\/6202033*)
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Show query
any where query like~ ("sfrclak.com", "calltan.com", "callnrwise.com")Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Show query
from * metadata _id, _index, _version | where query in ("sfrclak.com", "calltan.com", "callnrwise.com")Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Show query
query:(sfrclak.com OR calltan.com OR callnrwise.com)
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
Show query
any where riskEventType:"leakedCredentials"
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
Show query
from * metadata _id, _index, _version | where riskEventType=="leakedCredentials"
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
Show query
riskEventType:leakedCredentials
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Show query
any where riskEventType:"investigationsThreatIntelligence"
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Show query
from * metadata _id, _index, _version | where riskEventType=="investigationsThreatIntelligence"
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Show query
riskEventType:investigationsThreatIntelligence
Showing 751-800 of 12,786