#kql — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #kql, aggregated by home.social.
-
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
Blog alert!
This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.
#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineerhttp://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/
-
Blog alert!
A short one this time, on a nice find processen XML data in Realtime Intelligence.
#MicrosoftFabric
#RealtimeIntelligence
#XML
#Kusto
#KQL
#EventHousehttp://sqlreitse.com/2026/03/14/microsoft-fabric-realtime-intelligence-processing-xml-or-are-you/
-
Microsoft Defender for Endpoint Deep Dive
- Part 1: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-deep?r=6h4qin
- Part 2: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part
- Part 3: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-14d
- Part 4: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-dc3
- Part 5: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-8bb
- Part 6: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-259
-
Microsoft Defender for Endpoint Deep Dive
- Part 1: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-deep?r=6h4qin
- Part 2: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part
- Part 3: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-14d
- Part 4: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-dc3
- Part 5: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-8bb
- Part 6: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-259
-
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
I'm starting to work with #Microsoft #Sentinel, so I want to teach myself the basics of #KQL. There's a tutorial: https://learn.microsoft.com/en-us/kusto/query/tutorials/learn-common-operators . It sends me to https://learn.microsoft.com/en-us/fabric/real-time-intelligence/sample-gallery to get the sample data.
I follow the instructions and end up with data that doesn't match the tutorial so none of the queries in the tutorial work (the query expects a table "StormEvents", the data has "Weather" instead).
This is first experience Microsoft gives to people trying to learn their technology.
smdh -
How to Use Azure Monitor to Gain Insights and Ensure Application Health
In modern cloud environments, maintaining the health and performance of applications is critical. Azure Monitor provides a full-stack monitoring solution that enables organizations to track metrics, diagnose issues, and gain deep insights into their applications and infrastructure. #azuremonitor #CloudMonitoring #ContainerInsights #devops #kql #loganalytics #sentinel #siem #threatdetection
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
#KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).
Huge thanks to @racwatchin8872 for making the data available in a way that can be accessed via externaldata 🙏
-
IOC Query Generation for Microsoft Sentinel in Uncoder AI – Source: socprime.com https://ciso2ciso.com/ioc-query-generation-for-microsoft-sentinel-in-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
🚨 Test your Lateral Movement investigation skills!
I have just added a new challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL#Kusto#MicrosoftSentinel#MicrosoftDefender
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis
-
🐣 HAPPY EASTER CAPSTONE! 🛡️
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
https://academy.bluraven.io -
🎁 NEW UPDATE:
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
👇
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis -
🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis
-
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL -
If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.
From: @fabian_bader
https://infosec.exchange/@fabian_bader/114013896376345681 -
💙 Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL 💙
Code: VLTN30
Valid until 17.02 -
Using Optional parameter if not configured in Azure Monitor workbooks with KQL query https://cloudadministrator.net/2025/02/05/using-optional-parameter-if-not-configured-in-azure-monitor-workbooks-with-kql-query/ #Azure #AzureMonitor #KQL #AzureLogAnalutics #LogAnalytics #AzureMonitorWorkbooks
-
Using Optional parameter if not configured in Azure Monitor workbooks with KQL query https://cloudadministrator.net/2025/02/05/using-optional-parameter-if-not-configured-in-azure-monitor-workbooks-with-kql-query/ #Azure #AzureMonitor #KQL #AzureLogAnalutics #LogAnalytics #AzureMonitorWorkbooks
-
Blog Alert!
Let's dig into #KQL and see some differences with #SQL to learn for the #MicrosoftLearn #DP700 certification
http://sqlreitse.com/2025/01/21/dp-700-certification-process-data-using-kql/
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
KQL
Kusto Query Language (KQL) is a powerful query language that is used to query Azure Data Explorer (ADX) and Azure Monitor log data. KQL is used to query data in tables, summarize d(...)
-
Only 5 days to go until our both our Hacking Enterprises and Defending Enterprises training classes kick off at Black Hat USA.
There's still time to snag yourself a ticket for either the weekend or weekday delivery and we'd love to help level up your skills in either offensive or defensive techniques, or both!
Wreak havoc with in our multi-domain enterprise environment and then hunt, detect, monitor and alert after, or vice versa!
#pentesting #redteam #hacking #training #cybersecurity #BHUSA #blueteam #kql #microsoftsentinel #threathunting
-
Less than a month to go until Black Hat USA 👀. I suppose the only thing to say is I look forward to seeing you on either our Hacking Enterprises or Defending Enterprises trainings, or maybe both!
...and if I don't, I suppose the only question to ask is, why haven't your bought your ticket yet? 😎 From phishing, C2, IPv6 and rampaging through multi-domain trusts, to deep threat hunting, monitoring and alerting in our Sentinel lab - I suppose the REAL question is, how many friends or colleagues are signing up with you?!
#pentesting #hacking #redteam #BHUSA #bluetam #threathunting #kql #microsoftsentinel
-
🔍 Advanced Time Series Anomaly Detection: Discover methods you’ve never seen before.
🔗 Attack Path & Execution Chain Detection with Process Mining: A novel approach to threat detection.
🌐 Attack Pattern Detection Using Graph Semantics: Start thinking in graphs and revolutionize your detection and investigation skills.https://academy.bluraven.io/advanced-hands-on-kql-for-threat-hunting-and-detection-engineering
#KQL #Kusto #SIEM #MicrosoftSentinel #MicrosoftDefender #MicrosoftDefenderXDR #Defender #cybersecurity #KQLForSecurityAnalysts #ThreatHunting #DetectionEngineering #training #dfir #incidentresponse
-
Microsoft Details On Using KQL To Hunt For MFA Manipulations https://gbhackers.com/microsoft-kql-mfa-manipulations/ #CVE/vulnerability #CyberSecurityNews #MFASecurity #AuditLogs #Azure #KQL
-
🚀 FREE Hands-On KQL for Security Analysis Course is now available! 🚀
✅ 50 seats bi-monthly
✅ Certificate of completion
✅ 14-day lab with real-world Microsoft Sentinel and Defender XDR logs 🔥🔥
Enroll for #FREE 👇
https://academy.bluraven.io/intro-to-kql-for-security-analysis
#KQL #Kusto #SIEM #MicrosoftSentinel #MicrosoftDefender #Defender #cybersecurity #KQLForSecurityAnalysts #training -
🚀 I just started offering Subscription plan for "Hands-On Kusto Query Language (KQL) for Security Analysts" course!
👉 https://academy.bluraven.io/hands-on-kusto-query-language-kql-for-security-analysts#KQL #Kusto #SIEM #MicrosoftSentinel #cybersecurity #training
-
Made a thing for poking around sigma rules https://adonm.github.io/stlite-apps/apps/sigmatron.html including conversion to defender kql
Source is up https://github.com/adonm/stlite-apps/blob/main/apps/sigmatron.py (less than 100 lines!), streamlit lite is quite nice to play with
rules are grabbed from here - https://github.com/SigmaHQ/sigma
-
🚨 #KQL Course Update and Anniversary Discount!
The "Hands-On Kusto Query Language (KQL) for Security Analysts" course has been updated with 5 new exercises focusing on aggregations to answer investigative questions, with more to come! The course now offers:
✅ Lots of examples in the lessons
✅ A total of 23 exercises
✅ 2 Investigation scenarios
allowing you to enhance your skills in Kusto Query Language.Last ~24 hours to get it 30% OFF!
https://academy.bluraven.io/hands-on-kusto-query-language-kql-for-security-analysts
#KQL
#SecurityAnalysis
#Training
#ThreatHunting
#IncidentResponse
#MicrosoftSentinel
#MicrosoftDefender
#M365Defender
#DFIR
#DataAnalysis -
In.security's 2024 training schedule has it's first two additions. Pentesting and threat hunting training anyone?!
Hacking Enterprises - 2024 Red Edition, running April 16-17 in-person at Black Hat Asia
https://www.blackhat.com/asia-24/training/schedule/#hacking-enterprises---red-edition-35881
Defending Enterprises - 2024 Edition, running April 18-19 in-person at BruCON Spring training
https://www.brucon.org/2024/brucon-2024-training/defending-enterprises-2024-edition/
#hacking #redteam #pentest #blueteam #kql #MicrosoftSentinel
-
@smfinlay
I've seen some inconsistent behavior with case sensitivity with ==, maybe see if it works if the case matches. Could also be a space in the data. -
@smfinlay
I've seen some inconsistent behavior with case sensitivity with ==, maybe see if it works if the case matches. Could also be a space in the data. -
@smfinlay
I've seen some inconsistent behavior with case sensitivity with ==, maybe see if it works if the case matches. Could also be a space in the data. -
@smfinlay
I've seen some inconsistent behavior with case sensitivity with ==, maybe see if it works if the case matches. Could also be a space in the data. -
For those familiar with #DefenderforEndpoint and #KQL advanced hunting, do you know why I would get results from the query using the "contains" operator and get no results using the "==" operator?
-
For those familiar with #DefenderforEndpoint and #KQL advanced hunting, do you know why I would get results from the query using the "contains" operator and get no results using the "==" operator?