#kql — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #kql, aggregated by home.social.
-
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
Hunting CVE-2026-41096 (Windows DNS Client RCE, CVSS 9.8) in Advanced Hunting?
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("dnscache", "NetworkService")
| where FileName !in~ ("conhost.exe", "WerFault.exe", "wermgr.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc -
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
*Read it like an infomercial*
Are you tired of working with logs that contain arrays with multiple JSON like this?
Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?
Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!
#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics
-
Blog alert!
This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.
#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineerhttp://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/
-
Blog alert!
This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.
#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineerhttp://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/
-
Blog alert!
This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.
#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineerhttp://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/
-
Blog alert!
This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.
#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineerhttp://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/
-
Blog alert!
A short one this time, on a nice find processen XML data in Realtime Intelligence.
#MicrosoftFabric
#RealtimeIntelligence
#XML
#Kusto
#KQL
#EventHousehttp://sqlreitse.com/2026/03/14/microsoft-fabric-realtime-intelligence-processing-xml-or-are-you/
-
Microsoft Defender for Endpoint Deep Dive
- Part 1: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-deep?r=6h4qin
- Part 2: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part
- Part 3: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-14d
- Part 4: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-dc3
- Part 5: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-8bb
- Part 6: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-259
-
Microsoft Defender for Endpoint Deep Dive
- Part 1: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-deep?r=6h4qin
- Part 2: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part
- Part 3: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-14d
- Part 4: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-dc3
- Part 5: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-8bb
- Part 6: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-259
-
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
🕵️♂️ KQL is both a science and an art.
If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/
Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations -
I'm starting to work with #Microsoft #Sentinel, so I want to teach myself the basics of #KQL. There's a tutorial: https://learn.microsoft.com/en-us/kusto/query/tutorials/learn-common-operators . It sends me to https://learn.microsoft.com/en-us/fabric/real-time-intelligence/sample-gallery to get the sample data.
I follow the instructions and end up with data that doesn't match the tutorial so none of the queries in the tutorial work (the query expects a table "StormEvents", the data has "Weather" instead).
This is first experience Microsoft gives to people trying to learn their technology.
smdh -
How to Use Azure Monitor to Gain Insights and Ensure Application Health
In modern cloud environments, maintaining the health and performance of applications is critical. Azure Monitor provides a full-stack monitoring solution that enables organizations to track metrics, diagnose issues, and gain deep insights into their applications and infrastructure. #azuremonitor #CloudMonitoring #ContainerInsights #devops #kql #loganalytics #sentinel #siem #threatdetection
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
URL-Based IOC Validation for Microsoft Defender KQL – Source: socprime.com https://ciso2ciso.com/url-based-ioc-validation-for-microsoft-defender-kql-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftDefender #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
Zip Archive & C2 Domain Detection in Microsoft Sentinel via Uncoder AI – Source: socprime.com https://ciso2ciso.com/zip-archive-c2-domain-detection-in-microsoft-sentinel-via-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #Latestthreats #socprimecom #UncoderAI #socprime #Blog #KQL
-
#KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).
Huge thanks to @racwatchin8872 for making the data available in a way that can be accessed via externaldata 🙏
-
IOC Query Generation for Microsoft Sentinel in Uncoder AI – Source: socprime.com https://ciso2ciso.com/ioc-query-generation-for-microsoft-sentinel-in-uncoder-ai-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #MicrosoftSentinel #SOCPrimePlatform #socprimecom #UncoderAI #socprime #Blog #KQL
-
🚨 Test your Lateral Movement investigation skills!
I have just added a new challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL#Kusto#MicrosoftSentinel#MicrosoftDefender
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis
-
🐣 HAPPY EASTER CAPSTONE! 🛡️
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
https://academy.bluraven.io -
🎁 NEW UPDATE:
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
👇
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis -
🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis
-
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL -
If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.
From: @fabian_bader
https://infosec.exchange/@fabian_bader/114013896376345681 -
💙 Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL 💙
Code: VLTN30
Valid until 17.02 -
Using Optional parameter if not configured in Azure Monitor workbooks with KQL query https://cloudadministrator.net/2025/02/05/using-optional-parameter-if-not-configured-in-azure-monitor-workbooks-with-kql-query/ #Azure #AzureMonitor #KQL #AzureLogAnalutics #LogAnalytics #AzureMonitorWorkbooks
-
Using Optional parameter if not configured in Azure Monitor workbooks with KQL query https://cloudadministrator.net/2025/02/05/using-optional-parameter-if-not-configured-in-azure-monitor-workbooks-with-kql-query/ #Azure #AzureMonitor #KQL #AzureLogAnalutics #LogAnalytics #AzureMonitorWorkbooks
-
Blog Alert!
Let's dig into #KQL and see some differences with #SQL to learn for the #MicrosoftLearn #DP700 certification
http://sqlreitse.com/2025/01/21/dp-700-certification-process-data-using-kql/
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
Last call!
Join us next week at Black Hat Europe #BHEU on 9th-10th in London for our Defending Enterprises - 2024 Edition 2-day training.
Tickets are selling well so you don't want to miss out on festive threat hunting, Christmassy monitoring and jingling alerts!
https://www.blackhat.com/eu-24/training/schedule/index.html#defending-enterprises----edition--39001
#kql #threathunting #blueteam #training #cybersecurity #hacking
-
Incident Response and Threat Hunting:
A comprehensive collection of Kusto Query Language (KQL) queries used in detection, threat hunting, that focuses on Detections and Digital Forensicshttps://github.com/CodeByHarri/Incident-Response-and-Threat-Hunting
-