Friday, August 29, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

Build+Break+Secure

Where Every Failure Becomes A Manual

BUILD
- Microsoft Power Automate
  - Microsoft Teams
  - SentinelOne
- Microsoft PowerShell
  - Scripts
BREAK
- Kusto Query Language
  - Microsoft Sentinel
  - Zscaler
SECURE
- Active Directory
  - Hardening
- Kusto Query Language

+ SECURE

September 12, 2023 Wayne Andes 144 Views 0 Comments 2 min read

List Unwanted Or Malicious Applications Detected By Fortinet

Description This KQL query searches for unwanted or malicious applications detected by Fortinet. Qurery Microsoft Sentinel References

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

September 11, 2023 Wayne Andes 131 Views 0 Comments 2 min read

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Description This KQL query look for malicious DNS names detected by Fortinet based on Sentinel Threat Intelligence indicators. Risk Explain

+ SECURE Fortinet Kusto Query Language Microsoft Sentinel

September 4, 2023 Wayne Andes 132 Views 0 Comments 4 min read

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Description This KQL query looks for malicious network traffic detected by Fortinet from LAN to WAN. Risk Explain what risk

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

August 28, 2023 Wayne Andes 102 Views 0 Comments 7 min read

Hunt For Potential Phishing Campaign

Description The EmailClusterId which can be assigned to a mail is the identifier for the group of similar emails clustered based on

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft PowerShell Microsoft Sentinel

August 21, 2023 Wayne Andes 133 Views 0 Comments 9 min read

List PowerShell Invoke-Webrequest Execution

Description Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft PowerShell Microsoft Sentinel

August 14, 2023 Wayne Andes 123 Views 0 Comments 3 min read

Detect PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Description Detection opportunity: Launching PowerShell scripts from windowsapps directory This pseudo-detector looks for the execution of PowerShell scripts from the windowsapps directory.

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

August 7, 2023 Wayne Andes 107 Views 0 Comments 5 min read

Detect Runas Commands With Saved Credentials

Description Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

July 31, 2023 Wayne Andes 105 Views 0 Comments 4 min read

List Triggered Safe Links Email URL Block

Description This KQL query lists the emails that have triggered a URL block by safelinks. This is done by collecting

+ SECURE Kusto Query Language Microsoft Defender for Endpoint Microsoft Sentinel

July 25, 2023 Wayne Andes 106 Views 0 Comments 4 min read

Detect User Account Created Using Command-line

Description This KQL query is aimed to detect users that are added via the command-line. Adding users via the command-line

Topics To Explore

+ BLOG + BREAK + BUILD + NEWS + SECURE Active Directory Fortinet Homelab Kusto Query Language Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Power Automate Microsoft PowerShell Microsoft Sentinel Microsoft Teams Microsoft Windows Microsoft Windows Server SentinelOne Symantec Endpoint Protection VMware Carbon Black Zscaler

Recent BUILD Posts

Streamline SentinelOne Endpoint Scans with Power AutomateJune 2, 2025
Automate SentinelOne Incident Alerts to Microsoft Teams with Power AutomateJune 2, 2025
Get Started On Microsoft Power AutomateMay 26, 2025
PowerShell Finds Its Voice: Talking Scripts Are Now a ThingJuly 7, 2023

Recent BREAK Posts

Troubleshooting Data Ingestion Lag in Microsoft Sentinel from Zscaler LogsJanuary 29, 2025
What is BREAK?April 1, 2024

Recent SECURE Posts

Detect QR Code-Based Phishing with KQL in Microsoft Defender XDRFebruary 10, 2025
Monitor Active CISA Exploited CVEs Using This KQL QueryFebruary 3, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 28, 2025
Detect Microsoft Teams Large Data Transfer Using KQLJanuary 27, 2025
List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint ProtectionJanuary 22, 2025

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}