This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs.
This query will search and detect Windows vulnerability affecting the Netlogon feature.
Sophos Security Bulletin: https://community.sophos.com/b/security-blog/posts/microsoft-cve-2020-1472-netlogon-elevation-of-privilege-vulnerability-aka-zerologon
SELECT * FROM sophos_windows_events
WHERE source = "Security"
AND (eventid LIKE '4742'
AND data LIKE regex_match(data,"\{\\\"EventData\\\":\{.+\\\"SubjectUserSid\\\":\\\"S-1-5-7\\\"PasswordLastSet\\\":\\\"[^-].+\}$",0)
)
NOTE: results do not guarantee you are compromised. Please interpret them on an individual basis. Microsoft patched this vulnerability in 2020 and another updated feature patch in 2021.
