diff --git a/DefenderXDR/DetectCVEexploits.kql b/DefenderXDR/DetectCVEexploits.kql
new file mode 100644
index 0000000..fc7742d
--- /dev/null
+++ b/DefenderXDR/DetectCVEexploits.kql
@@ -0,0 +1,16 @@
+// Get all the TVM data
+let tvm_data = DeviceTvmSoftwareVulnerabilities
+| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion, CveId, VulnerabilitySeverityLevel;
+// Get CVE signatures on the network
+DeviceNetworkEvents
+| where ActionType contains "NetworkSignatureInspected"
+| extend AdditionalFields = todynamic(AdditionalFields)
+| extend SignatureName = tostring(AdditionalFields.SignatureName),
+    SignatureMatchedContent = tostring(AdditionalFields.SignatureMatchedContent),
+    SamplePacketContent = tostring(AdditionalFields.SamplePacketContent)
+| where SignatureName contains "CVE"
+// Join the TVM data of the related device
+| join kind=inner tvm_data on DeviceName
+// Check if the server is vulnerable to the detected CVE in network traffic
+| where SignatureName == CveId
+| project-away DeviceName1
\ No newline at end of file
diff --git a/Sentinel/AADMFABypass.kql b/Sentinel/AADMFABypass.kql
new file mode 100644
index 0000000..0f2cb77
--- /dev/null
+++ b/Sentinel/AADMFABypass.kql
@@ -0,0 +1,15 @@
+SigninLogs
+  | where AuthenticationRequirement != "multiFactorAuthentication"
+  | where HomeTenantId == ResourceTenantId
+  | where tostring(NetworkLocationDetails) == "[]"
+  | where ResultType == 0
+  | where ConditionalAccessStatus == "success"
+  | where todynamic(AuthenticationDetails)[0].authenticationMethod != "Windows Hello for Business"
+  | where AppDisplayName != "Microsoft Intune Company Portal"
+  | where AppDisplayName != "Microsoft Intune Web Company Portal"
+  | where AppDisplayName != "Microsoft Office Web Apps Service"
+  | where AppDisplayName != "Microsoft Account Controls V2"
+  | where ResourceDisplayName != "Microsoft Intune Enrollment"
+  | project UserPrincipalName, UserId, AppDisplayName, ResourceDisplayName, NetworkLocationDetails, AuthenticationRequirement
+  | summarize count() by UserPrincipalName, AppDisplayName, ResourceDisplayName, AuthenticationRequirement
+  | sort by UserPrincipalName asc, count_ desc
\ No newline at end of file