Monday, July 7, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Kusto Query Language

January 16, 2025 Wayne Andes 86 Views 0 Comments 3 min read

KQL to Detect Suspicious Process Website Access Not Blocked by Symantec

Description Using the power of KQL and Microsoft Sentinel, this detection script identifies events where a suspicious process attempted to

+ SECURE Kusto Query Language Microsoft Sentinel VMware Carbon Black

January 15, 2025 Wayne Andes 95 Views 0 Comments 2 min read

Detect Banned Files Written to Computer Using KQL in VMware Carbon Black App Control

This KQL query detects banned files written to computers by VMware Carbon Black App Control. It targets security events logged

+ SECURE Kusto Query Language Microsoft Sentinel VMware Carbon Black

January 14, 2025 Wayne Andes 72 Views 0 Comments 2 min read

Detect Suspicious Files with VMware Carbon Black Using KQL Query

This KQL query detects suspicious files flagged by VMware Carbon Black App Control, enabling security analysts to pinpoint potential risky

+ SECURE Kusto Query Language Microsoft Sentinel VMware Carbon Black

January 13, 2025 Wayne Andes 78 Views 0 Comments 2 min read

Detect Malicious Files Using KQL in VMware Carbon Black App Control

Using KQL (Kusto Query Language), you can efficiently identify malicious files detected by VMware Carbon Black App Control. This query

+ SECURE Kusto Query Language Microsoft Sentinel Symantec Endpoint Protection

January 10, 2025 Wayne Andes 78 Views 0 Comments 3 min read

Detect FileZilla SFTP Risks with KQL in Symantec Logs

This KQL query helps detect FileZilla SFTP activities flagged by Symantec Endpoint Protection where attacks were detected but not blocked.

+ SECURE Kusto Query Language Microsoft Sentinel Symantec Endpoint Protection

January 9, 2025 Wayne Andes 89 Views 0 Comments 3 min read

Detect Adware Events Using KQL in Symantec Endpoint Protection Logs

This KQL query extracts adware-related security events from Symantec Endpoint Protection (SEP) logs, focusing on instances where adware was detected

+ SECURE Kusto Query Language Microsoft Sentinel Symantec Endpoint Protection

January 8, 2025 Wayne Andes 75 Views 0 Comments 3 min read

List Unblocked Ngrok Events in Symantec with KQL

This article covers how to use a KQL (Kusto Query Language) script to list Ngrok activity detected by Symantec Endpoint

+ SECURE Kusto Query Language Microsoft Sentinel Symantec Endpoint Protection

January 7, 2025 Wayne Andes 82 Views 0 Comments 3 min read

Detect Malicious Scan Attempts Using KQL in Symantec Endpoint Protection Logs

This KQL query identifies malicious scan attempts detected but not blocked by Symantec Endpoint Protection (SEP) by filtering relevant security

+ SECURE Kusto Query Language Microsoft Sentinel Symantec Endpoint Protection

January 6, 2025 Wayne Andes 67 Views 0 Comments 3 min read

List Website Connections Allowed by Symantec Endpoint Protection

This KQL query is designed to identify all connections made to potential or malicious websites that Symantec Endpoint Protection (SEP)

Topics To Explore

+ BLOG + BREAK + BUILD + NEWS + SECURE Active Directory Fortinet Homelab Kusto Query Language Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Power Automate Microsoft PowerShell Microsoft Sentinel Microsoft Teams Microsoft Windows Microsoft Windows Server SentinelOne Symantec Endpoint Protection VMware Carbon Black Zscaler

Recent BUILD Posts

Streamline SentinelOne Endpoint Scans with Power AutomateJune 2, 2025
Automate SentinelOne Incident Alerts to Microsoft Teams with Power AutomateJune 2, 2025
Get Started On Microsoft Power AutomateMay 26, 2025
PowerShell Finds Its Voice: Talking Scripts Are Now a ThingJuly 7, 2023

Recent BREAK Posts

Troubleshooting Data Ingestion Lag in Microsoft Sentinel from Zscaler LogsJanuary 29, 2025
What is BREAK?April 1, 2024

Recent SECURE Posts

Detect QR Code-Based Phishing with KQL in Microsoft Defender XDRFebruary 10, 2025
Monitor Active CISA Exploited CVEs Using This KQL QueryFebruary 3, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 28, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 27, 2025
List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint ProtectionJanuary 22, 2025

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}