Added DetectCVEExplot file

DefenderXDR/DetectCVEexploits.kql

@@ -0,0 +1,16 @@
+// Get all the TVM data
+let tvm_data = DeviceTvmSoftwareVulnerabilities
+| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion, CveId, VulnerabilitySeverityLevel;
+// Get CVE signatures on the network
+DeviceNetworkEvents
+| where ActionType contains "NetworkSignatureInspected"
+| extend AdditionalFields = todynamic(AdditionalFields)
+| extend SignatureName = tostring(AdditionalFields.SignatureName),
+    SignatureMatchedContent = tostring(AdditionalFields.SignatureMatchedContent),
+    SamplePacketContent = tostring(AdditionalFields.SamplePacketContent)
+| where SignatureName contains "CVE"
+// Join the TVM data of the related device
+| join kind=inner tvm_data on DeviceName
+// Check if the server is vulnerable to the detected CVE in network traffic
+| where SignatureName == CveId
+| project-away DeviceName1

Sentinel/AADMFABypass.kql

@@ -0,0 +1,15 @@
+SigninLogs
+  | where AuthenticationRequirement != "multiFactorAuthentication"
+  | where HomeTenantId == ResourceTenantId
+  | where tostring(NetworkLocationDetails) == "[]"
+  | where ResultType == 0
+  | where ConditionalAccessStatus == "success"
+  | where todynamic(AuthenticationDetails)[0].authenticationMethod != "Windows Hello for Business"
+  | where AppDisplayName != "Microsoft Intune Company Portal"
+  | where AppDisplayName != "Microsoft Intune Web Company Portal"
+  | where AppDisplayName != "Microsoft Office Web Apps Service"
+  | where AppDisplayName != "Microsoft Account Controls V2"
+  | where ResourceDisplayName != "Microsoft Intune Enrollment"
+  | project UserPrincipalName, UserId, AppDisplayName, ResourceDisplayName, NetworkLocationDetails, AuthenticationRequirement
+  | summarize count() by UserPrincipalName, AppDisplayName, ResourceDisplayName, AuthenticationRequirement
+  | sort by UserPrincipalName asc, count_ desc