LOX Agent

All Microsoft Defender XDR alerts with flexible filtering by severity, source, and timeframe.

MDE endpoint alerts with full device context attached.

Microsoft Defender for Identity plus Entra ID Identity Protection alerts.

Microsoft Defender for Office 365 phishing and email security alerts.

Microsoft Defender for Cloud Apps SaaS security alerts (MCAS).

Every alert raised against a specific device, across vendors and timeframes.

Search any indicator (IP, domain, hash, filename) across process, network, and file events.

Parent-child process ancestry for incident reconstruction.

Unified activity timeline merging processes, network, and file events for one host.

Network connections originating from a specific process — surfaces hidden C2.

Find Base64-encoded PowerShell commands and decode them inline.

PowerShell processes connecting outbound to public IPs.

certutil.exe used for external download or exfil (LOLBin).

Office macros calling out to external addresses.

URL access following ISO file mounting — common social-engineering chain.

Browsers spawning suspicious child processes — drive-by compromise marker.

System processes running from wrong paths (T1036.005).

Unusual parent-child process relationships across the fleet.

Browser child processes that should never spawn from a browser.

Unsigned executables running from user-writable folders.

WScript / CScript execution patterns that fingerprint malware loaders.

DLLs loading from unusual paths — sideloading and hijack indicators.

Low-prevalence files dropped under Users/Public — common staging path.

Web shell file creation and execution on edge/web servers.

Every security alert raised against a specific user.

Entra ID risk levels and sign-in risk state for a user.

Adversary-in-the-middle phishing on unmanaged devices.

Logins from suspicious user agents (axios, azurehound, Python, curl).

Sign-ins from countries this account has never used before.

First-time application consent for a user — consent-phishing detection.

Device-code auth flows — frequently abused for phishing-resistant phish.

Rapid Conditional Access policy failures that suggest bypass attempts.

Azure CLI logins exhibiting risky patterns.

ASREP roasting attack indicators against Active Directory.

Kerberoasting service-ticket request patterns.

Inbound emails carrying OAuth consent URLs.

Inbound emails carrying device-code phishing URLs.

Users who clicked device-code or OAuth phishing URLs.

Click + successful device-code sign-in — actual compromise events.

Map a phishing-email click straight through to the endpoint that opened it.

Sender reputation, delivery patterns, and threat history for a given sender.

Forwarding rules, SMTP redirection, delegate access — BEC/AiTM persistence.

Inbox rule patterns associated with mailbox-takeover playbooks.

Enumerate every email forwarding rule across the tenant.

Inbox rules created from previously-unseen source IPs.

QR-code-based phishing emails (quishing).

CoPhish (Copilot Studio abuse), unauthorized Graph mail access, suspicious app consent.

Dangerous Graph API permissions granted (Mail.*, Files.*, Directory.*).

App consent, MFA changes, service-principal modifications.

Enumerate the permissions attached to every OAuth app in the tenant.

MFA device registrations from anomalous locations or devices.

New processes accessing LSASS — credential dumping in progress.

LSASS access via debugging APIs (a common dumper technique).

LSASS dumping via comsvcs.dll MiniDump (T1003).

NTDS.dit extraction attempts on domain controllers.

SAM database read attempts on workstations and servers.

Pass-the-hash lateral movement signatures across the fleet.

New Windows service creation events.

Registry Run/RunOnce key modifications across the fleet.

Files created under Startup folders.

WMI event-subscription persistence (T1546.003).

Scheduled tasks creating outbound C2 connections.

Scheduled tasks executing unsigned binaries.

Logon-script creation and modification events.

COM hijacking via CLSID manipulation.

User Account Control bypass attempts (eventvwr, fodhelper, sdclt, etc.).

getsystem-style privilege escalation indicators.

Token stealing or token-elevation indicators.

Process-injection vectors (CreateRemoteThread, APC queue, etc.).

MSBuild abused for remote-thread injection.

Named-pipe creation patterns associated with C2 frameworks.

SMB, RDP, WinRM, and SSH lateral-movement attempts originating from a host.

Find other devices that ran similar commands or hit the same suspicious infrastructure.

Service Control Manager remote lateral movement.

DCOM-based lateral movement signatures.

NTLM relay attack indicators.

DLL hijacking patterns for lateral execution.

WinRM plugin abuse for lateral execution.

RMM tool (TeamViewer, AnyDesk, ConnectWise) external connectivity.

First-ever execution of an RMM tool on a host — common ransomware precursor.

PsExec remote-execution attempts.

WMI-based command execution across hosts.

Rapid AD enumeration of users and groups.

SMB reconnaissance scans across the network.

BloodHound AD enumeration tool usage.

New local user accounts created across the fleet.

Local system reconnaissance commands (whoami, systeminfo, net group, etc.).

Multiple failed remote logon attempts grouped by source IP.

Repeating outbound connections to the same non-Microsoft destination — generic beacon detection.

Cobalt Strike user-agent and JA3 signatures.

Processes exhibiting periodic beacon-like behavior over time.

DNS-tunneling patterns used for C2 over allow-listed protocols.

Event log clearing — anti-forensics signal.

File timestamp manipulation (T1070.006).

Archive creation followed by SMB sharing — classic exfil staging.

Rclone or Rclone-derived cloud exfil tools running on the fleet.

Generic cloud-storage exfil patterns (file.io, transfer.sh, mega.io, etc.).

HTML files with embedded encoded payloads (HTML smuggling).

Payloads smuggled inside image EXIF data.

BitLocker abused as a ransomware encryption primitive.

BitLocker COM hijacking for unauthorized decryption.

Malicious URLs from URLhaus that were delivered in email.

URLhaus URLs that were actually accessed from endpoints.

Daily summary of URLhaus feed coverage.

Vulnerable drivers from the LOLDrivers feed loaded in the environment.

Sweep the fleet for any driver in the LOLDrivers list.

Daily summary of the LOLDrivers feed.

Living-off-the-land binaries (LOLBAS) generating network activity.

Detection for LOLBAS execution patterns.

Filter LOLBAS execution by binary name (specific tradecraft).

Suspicious drivers loaded for EDR bypass.

Drivers signed with old or invalid certificates.

Right-to-left override URL obfuscation.

ClickFix clipboard-and-Win+R social-engineering chain.

ClickFix PowerShell execution paths.

ClickFix mshta-based execution paths.

Network activity downstream of a ClickFix attack.

FileFix social-engineering chain executed via Explorer.

ConsentFix social-engineering campaign activity.

Primary Refresh Token (PRT) theft indicators.

Shadow-credentials attack indicators against AD.

File reputation and prevalence pulled from MDE.

How widespread a file is across your organization.

Device CVE vulnerability context with exploit-status flags.

User role and group membership from Entra ID.

AMSI script-detection events on a host.

Microsoft Defender Antivirus detection events.

Attack Surface Reduction rule triggers.

Microsoft SmartScreen warnings and bypasses.

Security software tampering attempts.

Defender exclusion-list modifications — frequent evasion vector.

MDE network connection details surfaced for cross-IOC comparison.

MDE process executions surfaced for cross-comparison.

Keylogger detection signatures.

Inbound connections to a host from public IPs.

Suspicious entries in the registry Run-MRU list.