diff --git a/DefenderXDR/DetectCVEexploits.kql b/DefenderXDR/DetectCVEexploits.kql
new file mode 100644
index 0000000..fc7742d
--- /dev/null
+++ b/DefenderXDR/DetectCVEexploits.kql
@@ -0,0 +1,16 @@
+// Get all the TVM data
+let tvm_data = DeviceTvmSoftwareVulnerabilities
+| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion, CveId, VulnerabilitySeverityLevel;
+// Get CVE signatures on the network
+DeviceNetworkEvents
+| where ActionType contains "NetworkSignatureInspected"
+| extend AdditionalFields = todynamic(AdditionalFields)
+| extend SignatureName = tostring(AdditionalFields.SignatureName),
+    SignatureMatchedContent = tostring(AdditionalFields.SignatureMatchedContent),
+    SamplePacketContent = tostring(AdditionalFields.SamplePacketContent)
+| where SignatureName contains "CVE"
+// Join the TVM data of the related device
+| join kind=inner tvm_data on DeviceName
+// Check if the server is vulnerable to the detected CVE in network traffic
+| where SignatureName == CveId
+| project-away DeviceName1
\ No newline at end of file
diff --git a/Sentinel/AADMFABypass.kql b/Sentinel/AADMFABypass.kql
new file mode 100644
index 0000000..0f2cb77
--- /dev/null
+++ b/Sentinel/AADMFABypass.kql
@@ -0,0 +1,15 @@
+SigninLogs
+  | where AuthenticationRequirement != "multiFactorAuthentication"
+  | where HomeTenantId == ResourceTenantId
+  | where tostring(NetworkLocationDetails) == "[]"
+  | where ResultType == 0
+  | where ConditionalAccessStatus == "success"
+  | where todynamic(AuthenticationDetails)[0].authenticationMethod != "Windows Hello for Business"
+  | where AppDisplayName != "Microsoft Intune Company Portal"
+  | where AppDisplayName != "Microsoft Intune Web Company Portal"
+  | where AppDisplayName != "Microsoft Office Web Apps Service"
+  | where AppDisplayName != "Microsoft Account Controls V2"
+  | where ResourceDisplayName != "Microsoft Intune Enrollment"
+  | project UserPrincipalName, UserId, AppDisplayName, ResourceDisplayName, NetworkLocationDetails, AuthenticationRequirement
+  | summarize count() by UserPrincipalName, AppDisplayName, ResourceDisplayName, AuthenticationRequirement
+  | sort by UserPrincipalName asc, count_ desc
\ No newline at end of file
diff --git a/Sentinel/AADNewDevices.kql b/Sentinel/AADNewDevices.kql
new file mode 100644
index 0000000..cf15256
--- /dev/null
+++ b/Sentinel/AADNewDevices.kql
@@ -0,0 +1,16 @@
+// Newly registered devices in Azure AD [DCSecurityOperations].
+  let NewDevices = AuditLogs
+      | where OperationName == "Register device"
+      | project TimeGenerated, DeviceID=AdditionalDetails[4].value, OS=AdditionalDetails[3].value, DeviceTrustType=AdditionalDetails[2].value, InitiatedBy=InitiatedBy.user.userPrincipalName;
+  let DisplayNames = AuditLogs
+      | where OperationName == "Add device"
+      | extend Replaced=replace_string(tostring(TargetResources[0].modifiedProperties[6].newValue), '[\"', '')
+      | project DeviceID=replace_string(Replaced, '\"]', ''), DeviceName=TargetResources[0].displayName;
+  NewDevices
+      | extend DeviceID = tostring(DeviceID)
+      | join kind=inner (
+          DisplayNames
+          | extend DeviceID = tostring(DeviceID)
+      ) on $left.DeviceID == $right.DeviceID
+      | summarize by TimeGenerated, DeviceID, tostring(DeviceName), tostring(OS), tostring(DeviceTrustType), tostring(InitiatedBy)
+      | order by TimeGenerated
\ No newline at end of file