Tuesday, July 8, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Kusto Query Language

November 27, 2023 Wayne Andes 56 Views 0 Comments 2 min read

List Conditional Access User Sign-in Failure

Description This KQL query lists all users that trigger failed sign in requests due to conditional access failures. This can

+ SECURE Kusto Query Language Microsoft Sentinel

November 20, 2023 Wayne Andes 52 Views 0 Comments 5 min read

List Data Connector Changed From Failed To Success State

Description This KQL query detect Data Connectors with changes from fail to success state. Risk Failures in Data connectors mean

+ SECURE Kusto Query Language Microsoft Sentinel

November 13, 2023 Wayne Andes 53 Views 0 Comments 5 min read

List Data Connector Changed From Success To Failed State

Description This KQL query detect Data Connectors with changes from fail to success state. Risk Failures in Data connectors mean

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

November 6, 2023 Wayne Andes 57 Views 0 Comments 5 min read

Detect SMB File Copies

Description Adversaries can use SMB to upload files to remote shares or to interact with files on those shares. A

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

October 30, 2023 Wayne Andes 70 Views 0 Comments 11 min read

List Domain User Account Added To Sensitive Group Using Command-line

Description This KQL query detects when multiple sensitive group additions have been initiated from the command-line within a certain timeframe.

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

October 23, 2023 Wayne Andes 77 Views 0 Comments 9 min read

List Executable Email Attachment Received

Description Adversaries may use executable files to gain initial access. A tactic that is used is to send executable files,

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

October 16, 2023 Wayne Andes 68 Views 0 Comments 9 min read

Hunt For Possible Web Shell On The Endpoint

Description Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

October 9, 2023 Wayne Andes 58 Views 0 Comments 6 min read

List Potential Kerberos Encryption Downgrade

Description Adversaries can use older kerberos encryption algorithms which are vulnerable to brute force attacks to crack passwords. This query

+ SECURE Kusto Query Language Microsoft Defender for Endpoint

October 2, 2023 Wayne Andes 68 Views 0 Comments 4 min read

List Internet Facing Devices With Vulnerabilities That Have An Exploit Available

Description This KQL query list all internet facing devices that have a vulnerability that is exploitable. What exploitable means is

Topics To Explore

+ BLOG + BREAK + BUILD + NEWS + SECURE Active Directory Fortinet Homelab Kusto Query Language Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Power Automate Microsoft PowerShell Microsoft Sentinel Microsoft Teams Microsoft Windows Microsoft Windows Server SentinelOne Symantec Endpoint Protection VMware Carbon Black Zscaler

Recent BUILD Posts

Streamline SentinelOne Endpoint Scans with Power AutomateJune 2, 2025
Automate SentinelOne Incident Alerts to Microsoft Teams with Power AutomateJune 2, 2025
Get Started On Microsoft Power AutomateMay 26, 2025
PowerShell Finds Its Voice: Talking Scripts Are Now a ThingJuly 7, 2023

Recent BREAK Posts

Troubleshooting Data Ingestion Lag in Microsoft Sentinel from Zscaler LogsJanuary 29, 2025
What is BREAK?April 1, 2024

Recent SECURE Posts

Detect QR Code-Based Phishing with KQL in Microsoft Defender XDRFebruary 10, 2025
Monitor Active CISA Exploited CVEs Using This KQL QueryFebruary 3, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 28, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 27, 2025
List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint ProtectionJanuary 22, 2025

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}