Internet Explorer End of Life. Find IE usage in your Defender for Endpoint data
This post has some KQL to report usage of Internet Explorer.
KQL
Shields up! Find CISA Known Exploited Vulns in your Defender for Endpoint data
This post has some KQL to report CISA Known Exploited Vulns within your environment.
Exchange Onlne Email Investigation
This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment” using Defender for Office365 and Defender for Endpoint.
KQL for files uploaded to cloud
This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention
Local admin report with Defender for EndPoint
Securing Windows PCs starts with managing local administator access. Microsoft Defender for Endpoint logs every login and records if it was a local admin. Use this KQL query in the Advanced Hunting portal to create a report.
Bitlocker status report with Defender for EndPoint
Are all your machines encrypted? If a laptop was lost is the data protected or you’ll need to declare. Microsoft Defender for EndPoint (aka ATP) stores Bitlocker status information. Use the following KQL query in the Advanced Hunting portal.