BertJanCyber
@bertjancyber.bsky.social
CSIRT | http://kqlquery.com | Microsoft Security MVP | Blue & Purple Team | SOC | SIEM | Threat Hunting | Detection Engineering | #KQL |
Are you joining The KQL Cafe (@kqlcafe.bsky.social) next week? I will be talking about #KQL, Logic Apps, APIs and a combination of the three during the session.
Interested? Register here: www.meetup.com/kql-cafe/eve...
📅 When: April 29 18:00 - 19:30 (CET)
🖥️ Where: Online
💰 Cost: Free of charge
Interested? Register here: www.meetup.com/kql-cafe/eve...
📅 When: April 29 18:00 - 19:30 (CET)
🖥️ Where: Online
💰 Cost: Free of charge
KQL Cafe - April 2025, Tue, Apr 29, 2025, 6:00 PM | Meetup
Hi Kusto Fans,
Another month another [KQL Cafe](https://kqlcafe.com/#upcoming-shows) session.
As usual we cover what is new in KQL and what we did with KQL in the last mont
www.meetup.com
April 22, 2025 at 4:08 PM
Are you joining The KQL Cafe (@kqlcafe.bsky.social) next week? I will be talking about #KQL, Logic Apps, APIs and a combination of the three during the session.
Interested? Register here: www.meetup.com/kql-cafe/eve...
📅 When: April 29 18:00 - 19:30 (CET)
🖥️ Where: Online
💰 Cost: Free of charge
Interested? Register here: www.meetup.com/kql-cafe/eve...
📅 When: April 29 18:00 - 19:30 (CET)
🖥️ Where: Online
💰 Cost: Free of charge
Microsoft announced the public preview of the OAuthAppInfo table in the Advanced Hunting schema. I created multiple #KQL queries to help you kick-start the usage of this table.🚀
The queries help you to identify high-permissive, unused and external apps.
github.com/Bert-JanP/Hu...
The queries help you to identify high-permissive, unused and external apps.
github.com/Bert-JanP/Hu...
Hunting-Queries-Detection-Rules/Defender For Cloud Apps/OAuthAppInfo at main · Bert-JanP/Hunting-Queries-Detection-Rules
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...
github.com
April 14, 2025 at 5:25 PM
Microsoft announced the public preview of the OAuthAppInfo table in the Advanced Hunting schema. I created multiple #KQL queries to help you kick-start the usage of this table.🚀
The queries help you to identify high-permissive, unused and external apps.
github.com/Bert-JanP/Hu...
The queries help you to identify high-permissive, unused and external apps.
github.com/Bert-JanP/Hu...
Reposted by BertJanCyber
#100DaysOfKQL
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
(cont)
t.co/lwO1hmrqUk
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
(cont)
t.co/lwO1hmrqUk
https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%20100%20-%20CScript.exe%2C%20WScript.exe%20or%20MSHTA.exe%20Executed%20from%20Web%20Browser%20Process.md
t.co
April 13, 2025 at 2:45 AM
#100DaysOfKQL
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
(cont)
t.co/lwO1hmrqUk
Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process
IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.
(cont)
t.co/lwO1hmrqUk
Pushed a #KQL that returns the top 10 SecurityEvents with the largest ingestion size. This can help determine which events you may want to aggregate or filter, depending on your detection/forensic needs.
github.com/Bert-JanP/Hu...
github.com/Bert-JanP/Hu...
github.com
April 12, 2025 at 7:58 AM
Pushed a #KQL that returns the top 10 SecurityEvents with the largest ingestion size. This can help determine which events you may want to aggregate or filter, depending on your detection/forensic needs.
github.com/Bert-JanP/Hu...
github.com/Bert-JanP/Hu...
It's time to prepare some content for the next
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.
The session is on April 29th and is completely free to attend online.
🗓️Event registration & details: www.meetup.com/kql-cafe/
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.
The session is on April 29th and is completely free to attend online.
🗓️Event registration & details: www.meetup.com/kql-cafe/
March 31, 2025 at 6:05 PM
It's time to prepare some content for the next
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.
The session is on April 29th and is completely free to attend online.
🗓️Event registration & details: www.meetup.com/kql-cafe/
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.
The session is on April 29th and is completely free to attend online.
🗓️Event registration & details: www.meetup.com/kql-cafe/
🛡️Released DFIR PowerShell V3!
New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API
github.com/Bert-JanP/In...
New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API
github.com/Bert-JanP/In...
GitHub - Bert-JanP/Incident-Response-Powershell: PowerShell Digital Forensics & Incident Response Scripts.
PowerShell Digital Forensics & Incident Response Scripts. - Bert-JanP/Incident-Response-Powershell
github.com
February 27, 2025 at 7:39 PM
🛡️Released DFIR PowerShell V3!
New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API
github.com/Bert-JanP/In...
New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API
github.com/Bert-JanP/In...
Pushed a #KQL for: Successful device code sign-in from an unmanaged device.
Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"
🏹Query: github.com/Bert-JanP/Hu...
Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"
🏹Query: github.com/Bert-JanP/Hu...
February 17, 2025 at 6:53 PM
Pushed a #KQL for: Successful device code sign-in from an unmanaged device.
Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"
🏹Query: github.com/Bert-JanP/Hu...
Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"
🏹Query: github.com/Bert-JanP/Hu...
If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
Microsoft Expanded Cloud Logs Implementation Playbook | CISA
www.cisa.gov
January 20, 2025 at 7:07 PM
If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
The report includes KQL, SPL and Powershell code to perform incident response.
www.cisa.gov/resources-to...
These two mails keep providing great value to list new actions found in a tenant. Very useful to find new detection & hunting potential, anomalies or just to understand your data better.
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...
January 20, 2025 at 4:27 PM
These two mails keep providing great value to list new actions found in a tenant. Very useful to find new detection & hunting potential, anomalies or just to understand your data better.
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...
Reposted by BertJanCyber
📬 Have you checked latest Kusto Insights by @ugurkoc.de & @bertjancyber.bsky.social
🗓 December update is available now kustoinsights.substack.com/p/kusto-insi...
#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity
🗓 December update is available now kustoinsights.substack.com/p/kusto-insi...
#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity
January 12, 2025 at 3:18 PM
📬 Have you checked latest Kusto Insights by @ugurkoc.de & @bertjancyber.bsky.social
🗓 December update is available now kustoinsights.substack.com/p/kusto-insi...
#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity
🗓 December update is available now kustoinsights.substack.com/p/kusto-insi...
#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity
Created a #KQL hunting query to list the initial LDAPNightmare exploit (CVE-2024-49113) connection. With this, you can hunt for both successful and failed exploitation attempts 🏹
github.com/Bert-JanP/Hu...
github.com/Bert-JanP/Hu...
github.com
January 6, 2025 at 8:44 PM
Created a #KQL hunting query to list the initial LDAPNightmare exploit (CVE-2024-49113) connection. With this, you can hunt for both successful and failed exploitation attempts 🏹
github.com/Bert-JanP/Hu...
github.com/Bert-JanP/Hu...
A new tradition has been born, the yearly KQL Community Sources list for 2025 has been published!
Happy hunting this year! 🏹
kqlquery.com/posts/kql-so...
Happy hunting this year! 🏹
kqlquery.com/posts/kql-so...
KQL Sources - 2025 Update
What started as a single blog is now becomming a yearly trend. More and more KQL related repositories are created, not only with focus on security but also Intune, Entra and Azure Monitor related quer...
kqlquery.com
January 2, 2025 at 3:36 PM
A new tradition has been born, the yearly KQL Community Sources list for 2025 has been published!
Happy hunting this year! 🏹
kqlquery.com/posts/kql-so...
Happy hunting this year! 🏹
kqlquery.com/posts/kql-so...
It has been a good day. 😅
Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)
learn.microsoft.com/en-us/azure/...
Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)
learn.microsoft.com/en-us/azure/...
December 23, 2024 at 6:38 PM
It has been a good day. 😅
Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)
learn.microsoft.com/en-us/azure/...
Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)
learn.microsoft.com/en-us/azure/...
NEW BLOG! 🚨
IOC hunting at scale using externaldata().
The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds
kqlquery.com/posts/extern...
IOC hunting at scale using externaldata().
The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds
kqlquery.com/posts/extern...
IOC hunting at scale
The KQL External Data operator might be the holiday gift for you! This powerful capability enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP F...
kqlquery.com
December 18, 2024 at 3:42 PM
NEW BLOG! 🚨
IOC hunting at scale using externaldata().
The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds
kqlquery.com/posts/extern...
IOC hunting at scale using externaldata().
The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds
kqlquery.com/posts/extern...
Latest #KQL additions:
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧵
github.com/Bert-JanP/Hu...
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧵
github.com/Bert-JanP/Hu...
GitHub - Bert-JanP/Hunting-Queries-Detection-Rules: KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom...
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...
github.com
December 10, 2024 at 3:35 PM
Latest #KQL additions:
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧵
github.com/Bert-JanP/Hu...
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧵
github.com/Bert-JanP/Hu...
Anyone already seen the column ThreatClassification land in their tenant? The column will be added to the EmailEvents table.
Source: techcommunity.microsoft.com/blog/microso...
Source: techcommunity.microsoft.com/blog/microso...
December 6, 2024 at 5:43 PM
Anyone already seen the column ThreatClassification land in their tenant? The column will be added to the EmailEvents table.
Source: techcommunity.microsoft.com/blog/microso...
Source: techcommunity.microsoft.com/blog/microso...
Kusto Insights - November Update
Welcome to a new Monthly Update.
open.substack.com
December 3, 2024 at 5:30 PM
Time to get a #KQL query from the shelve: Potential Adversary in the middle Phishing
If you have High-Risk users and axios useragents in the results please revoke some sessions.
🏹 github.com/Bert-JanP/Hu...
Query is available for both SigninLogs and AADSignInEventsBeta.
If you have High-Risk users and axios useragents in the results please revoke some sessions.
🏹 github.com/Bert-JanP/Hu...
Query is available for both SigninLogs and AADSignInEventsBeta.
December 2, 2024 at 5:37 PM
Time to get a #KQL query from the shelve: Potential Adversary in the middle Phishing
If you have High-Risk users and axios useragents in the results please revoke some sessions.
🏹 github.com/Bert-JanP/Hu...
Query is available for both SigninLogs and AADSignInEventsBeta.
If you have High-Risk users and axios useragents in the results please revoke some sessions.
🏹 github.com/Bert-JanP/Hu...
Query is available for both SigninLogs and AADSignInEventsBeta.
