home.social

#kql — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #kql, aggregated by home.social.

  1. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  2. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  3. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  4. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  5. Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?

    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
    | where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine
    | order by Timestamp desc

    #CVE202641096 #KQL #ThreatHunting #MDE

  6. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  7. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  8. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  9. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  10. *Read it like an infomercial*

    Are you tired of working with logs that contain arrays with multiple JSON like this?

    Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

    Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

    github.com/0x-cde/Threat-Hunti

    #kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

  11. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  12. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  13. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  14. 🕵️‍♂️ KQL is both a science and an art.

    If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
    This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

    🔗 Read the full walkthrough here: marshsecurity.org/sentinel-ski

    Share your comments 👇
    What’s YOUR top KQL tip or favourite optimisation trick?

    Let’s build a thread of practical advice for the hunting community.
    #MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

  15. I'm starting to work with #Microsoft #Sentinel, so I want to teach myself the basics of #KQL. There's a tutorial: learn.microsoft.com/en-us/kust . It sends me to learn.microsoft.com/en-us/fabr to get the sample data.
    I follow the instructions and end up with data that doesn't match the tutorial so none of the queries in the tutorial work (the query expects a table "StormEvents", the data has "Weather" instead).
    This is first experience Microsoft gives to people trying to learn their technology.
    smdh

  16. How to Use Azure Monitor to Gain Insights and Ensure Application Health

    In modern cloud environments, maintaining the health and performance of applications is critical. Azure Monitor provides a full-stack monitoring solution that enables organizations to track metrics, diagnose issues, and gain deep insights into their applications and infrastructure.

    azuretracks.com/?p=2781

  17. #KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).

    github.com/SecurityAura/DE-TH-

    Huge thanks to @racwatchin8872 for making the data available in a way that can be accessed via externaldata 🙏

  18. 🚨 Test your Lateral Movement investigation skills!

    I have just added a new challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course!

    You can even test your AI agents' skills 😉

    #KQL#Kusto#MicrosoftSentinel#MicrosoftDefender

    academy.bluraven.io/course/int

  19. 🐣 HAPPY EASTER CAPSTONE! 🛡️

    My KQL courses now include a complete attack scenario to test your skills — end to end.

    🎯 Hands-on labs
    📉 20% OFF for a limited time!
    Crack it open 👇

    #KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR

    academy.bluraven.io

  20. 🎁 NEW UPDATE:

    I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.

    More will be coming soon!

    #KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
    👇
    academy.bluraven.io/course/int

  21. 🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!

    Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!

    academy.bluraven.io/course/int

    #KQL #Kusto #ThreatHunting #Infosec

  22. Detect suspicious foci token logins:
    The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!

    github.com/HybridBrothers/Hunt
    #DFIR #BlueTeam #KQL

  23. If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.

    #cybersecurity #microsoft

    From: @fabian_bader
    infosec.exchange/@fabian_bader

  24. 💙 Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL 💙
    Code: VLTN30
    Valid until 17.02

    academy.bluraven.io/

    #ThreatHunting

  25. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  26. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  27. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  28. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  29. Last call!

    Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.

    Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!

    blackhat.com/eu-24/training/sc

    #kql #threathunting #blueteam #training #cybersecurity #hacking

  30. Incident Response and Threat Hunting:
    A comprehensive collection of Kusto Query Language (KQL) queries used in detection, threat hunting, that focuses on Detections and Digital Forensics

    github.com/CodeByHarri/Inciden

    #dfir #incidentresponse #threathunting #KQL #detections