Friday, August 29, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Kusto Query Language

December 23, 2024 Wayne Andes 137 Views 0 Comments 6 min read

List Cloud Persistence Activities By User At Risk

Description This guide explains how to detect cloud persistence activities performed by users identified as at risk using KQL queries.

+ SECURE Kusto Query Language Microsoft Sentinel

December 16, 2024 Wayne Andes 140 Views 0 Comments 5 min read

List Cloud Discovery Performed By User At Risk

This KQL query identifies discovery events performed by users marked as at risk within an Azure environment. It targets actions

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

December 2, 2024 Wayne Andes 140 Views 0 Comments 3 min read

Detect AMSI Script Attacks Using KQL Query

AMSI script detection KQL query is a crucial tool for monitoring Windows environments where the Antimalware Scan Interface detects potentially

+ SECURE Kusto Query Language Microsoft Sentinel

November 25, 2024 Wayne Andes 113 Views 0 Comments 5 min read

Detect Anomalous Group Policy Discovery

Detect anomalous group policy discovery by leveraging KQL queries to identify devices performing group policy scans they have not executed

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

November 18, 2024 Wayne Andes 140 Views 0 Comments 16 min read

Detect Anomalous Amount of LDAP Traffic

Adversaries can use LDAP to collect environment information. The query below can be used to detect anomalous amounts of LDAP

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

November 11, 2024 Wayne Andes 148 Views 0 Comments 5 min read

Hunt For All Executed LDAP Queries From A Compromised Device

This guide uses KQL to detect executed LDAP queries originating from compromised devices. Monitoring LDAP traffic is critical for identifying

+ SECURE Kusto Query Language Microsoft Sentinel

November 4, 2024 Wayne Andes 189 Views 0 Comments 3 min read

Azure Monitor Agent Connector Failure Detection with KQL

Detecting Azure Monitor Agent (AMA) connector failures using a Kusto Query Language (KQL) script focused on Syslog data enables rapid

+ SECURE Kusto Query Language Microsoft Sentinel

October 28, 2024 Wayne Andes 139 Views 0 Comments 3 min read

Detect Azure Monitor Agent Connector Failures In CommonSecurityLog

Detecting Azure Monitor Agent connector failures with KQL is essential for maintaining consistent log ingestion and security alerting. This query

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

October 21, 2024 Wayne Andes 144 Views 0 Comments 13 min read

Investigate Brute Force Logins Followed by Password Changes using KQL

Adversaries gaining access through brute force may immediately change a compromised account’s password to maintain persistence without raising alarms. This

Topics To Explore

+ BLOG + BREAK + BUILD + NEWS + SECURE Active Directory Fortinet Homelab Kusto Query Language Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Power Automate Microsoft PowerShell Microsoft Sentinel Microsoft Teams Microsoft Windows Microsoft Windows Server SentinelOne Symantec Endpoint Protection VMware Carbon Black Zscaler

Recent BUILD Posts

Streamline SentinelOne Endpoint Scans with Power AutomateJune 2, 2025
Automate SentinelOne Incident Alerts to Microsoft Teams with Power AutomateJune 2, 2025
Get Started On Microsoft Power AutomateMay 26, 2025
PowerShell Finds Its Voice: Talking Scripts Are Now a ThingJuly 7, 2023

Recent BREAK Posts

Troubleshooting Data Ingestion Lag in Microsoft Sentinel from Zscaler LogsJanuary 29, 2025
What is BREAK?April 1, 2024

Recent SECURE Posts

Detect QR Code-Based Phishing with KQL in Microsoft Defender XDRFebruary 10, 2025
Monitor Active CISA Exploited CVEs Using This KQL QueryFebruary 3, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 28, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 27, 2025
List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint ProtectionJanuary 22, 2025

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}