home.social

#kql — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #kql, aggregated by home.social.

  1. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  2. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  3. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  4. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  5. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  6. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  7. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  8. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  9. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  10. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  11. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  12. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  13. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  14. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  15. I'm starting to work with #Microsoft #Sentinel, so I want to teach myself the basics of #KQL. There's a tutorial: learn.microsoft.com/en-us/kust . It sends me to learn.microsoft.com/en-us/fabr to get the sample data.
    I follow the instructions and end up with data that doesn't match the tutorial so none of the queries in the tutorial work (the query expects a table "StormEvents", the data has "Weather" instead).
    This is first experience Microsoft gives to people trying to learn their technology.
    smdh

  16. How to Use Azure Monitor to Gain Insights and Ensure Application Health

    In modern cloud environments, maintaining the health and performance of applications is critical. Azure Monitor provides a full-stack monitoring solution that enables organizations to track metrics, diagnose issues, and gain deep insights into their applications and infrastructure.

    azuretracks.com/?p=2781

  17. #KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).

    github.com/SecurityAura/DE-TH-

    Huge thanks to @racwatchin8872 for making the data available in a way that can be accessed via externaldata 🙏

  18. 🚨 Test your Lateral Movement investigation skills!

    I have just added a new challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course!

    You can even test your AI agents' skills 😉

    #KQL#Kusto#MicrosoftSentinel#MicrosoftDefender

    academy.bluraven.io/course/int

  19. KQL

    Kusto Query Language (KQL) is a powerful query language that is used to query Azure Data Explorer (ADX) and Azure Monitor log data. KQL is used to query data in tables, summarize d(...)

    #adx #anomalydetection #azure #kql #kusto

    taoofmac.com/space/dev/kql

  20. Self-Hosting Kusto

    This is going to be an unusual one, partly because it is about a Microsoft thing (which I typically avoid) and because it’s going to be a bit of a brain dump.(...)

    #adx #ai #azure #docker #jupyter #kql #kusto #ml #parquet #polars

    taoofmac.com/space/blog/2024/0

  21. 🐣 HAPPY EASTER CAPSTONE! 🛡️

    My KQL courses now include a complete attack scenario to test your skills — end to end.

    🎯 Hands-on labs
    📉 20% OFF for a limited time!
    Crack it open 👇

    #KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR

    academy.bluraven.io

  22. 🎁 NEW UPDATE:

    I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.

    More will be coming soon!

    #KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
    👇
    academy.bluraven.io/course/int

  23. 🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!

    Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!

    academy.bluraven.io/course/int

    #KQL #Kusto #ThreatHunting #Infosec

  24. Detect suspicious foci token logins:
    The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!

    github.com/HybridBrothers/Hunt
    #DFIR #BlueTeam #KQL

  25. If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.

    #cybersecurity #microsoft

    From: @fabian_bader
    infosec.exchange/@fabian_bader

  26. 💙 Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL 💙
    Code: VLTN30
    Valid until 17.02

    academy.bluraven.io/

    #ThreatHunting

  27. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  28. Today, we are thrilled to announce the next major step in this industry-defining vision: combining the power of leading solutions in security information and event management (𝐒𝐈𝐄𝐌), extended detection and response (𝐗𝐃𝐑), and generative AI for security into the first 𝐔𝐧𝐢𝐟𝐢𝐞𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐬 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦..

    techcommunity.microsoft.com/t5

    #microsoft #microsoftdefender #microsoftdefenderxdr #xdr #siem #soar #sentinel #microsoftsentinel #ai #aisecurity #cybersecurity #soc #genai #generativeai #gpt #azure #microsoftecurity #soc #analyst #copilot #securitycopilot #ignite #microsoftignite #kql

  29. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  30. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  31. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD