Wayne Andes

September 18, 2023 Wayne Andes 67 Views 0 Comments 22 min read

Detect Macro Attachment Opened From Rare Sender

Description Adversaries may use macro enabled files go gain access to the network. If the macros are not enabled the

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

September 12, 2023 Wayne Andes 85 Views 0 Comments 2 min read

List Unwanted Or Malicious Applications Detected By Fortinet

Description This KQL query searches for unwanted or malicious applications detected by Fortinet. Qurery Microsoft Sentinel References

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

September 11, 2023 Wayne Andes 69 Views 0 Comments 2 min read

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Description This KQL query look for malicious DNS names detected by Fortinet based on Sentinel Threat Intelligence indicators. Risk Explain

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

September 4, 2023 Wayne Andes 73 Views 0 Comments 4 min read

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Description This KQL query looks for malicious network traffic detected by Fortinet from LAN to WAN. Risk Explain what risk

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

August 28, 2023 Wayne Andes 59 Views 0 Comments 7 min read

Hunt For Potential Phishing Campaign

Description The EmailClusterId which can be assigned to a mail is the identifier for the group of similar emails clustered based on

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft PowerShell Microsoft Sentinel

August 21, 2023 Wayne Andes 80 Views 0 Comments 9 min read

List PowerShell Invoke-Webrequest Execution

Description Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft PowerShell Microsoft Sentinel

August 14, 2023 Wayne Andes 74 Views 0 Comments 3 min read

Detect PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Description Detection opportunity: Launching PowerShell scripts from windowsapps directory This pseudo-detector looks for the execution of PowerShell scripts from the windowsapps directory.

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

August 7, 2023 Wayne Andes 61 Views 0 Comments 5 min read

Detect Runas Commands With Saved Credentials

Description Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

July 31, 2023 Wayne Andes 63 Views 0 Comments 4 min read

List Triggered Safe Links Email URL Block

Description This KQL query lists the emails that have triggered a URL block by safelinks. This is done by collecting

Build+Break+Secure

Build+Break+Secure

Author: Wayne Andes

Detect Macro Attachment Opened From Rare Sender

List Unwanted Or Malicious Applications Detected By Fortinet

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Hunt For Potential Phishing Campaign

List PowerShell Invoke-Webrequest Execution

Detect PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Detect Runas Commands With Saved Credentials

List Triggered Safe Links Email URL Block