+ SECURE \ Kusto Query Language \ Microsoft Sentinel

March 18, 2024 Wayne Andes 54 Views 0 Comments 2 min read

List Guest Users with Azure Active Directory Roles

Description This KQL query can be used to display all Guest users in the tenant who have Azure Active Directory

March 11, 2024 Wayne Andes 72 Views 0 Comments 2 min read

Description This KQL query lists the incidents that are automatically closed by Microsoft Defender XDR. It is good practice to

March 4, 2024 Wayne Andes 77 Views 0 Comments 6 min read

Description This KQL query detects successful sign-ins from countries that have not been seen before. Depending on where you run

February 26, 2024 Wayne Andes 80 Views 0 Comments 37 min read

PowerShell can be used encoded to obfuscate the commands that have been executed. An attacker can choose encoding to hide

February 19, 2024 Wayne Andes 85 Views 0 Comments 26 min read

This Threat Hunting case is based on the DeviceNetworkEvents table. The goal is to find malicious HTTP traffic. Step 1:

February 12, 2024 Wayne Andes 64 Views 0 Comments 5 min read

Description This KQL query identifies the users that are currently at risk. Based on that it performs a lookup on

February 5, 2024 Wayne Andes 52 Views 0 Comments 5 min read

Description This KQL query can be used to detect rare operating systems that are used to sign into your tenant.

January 29, 2024 Wayne Andes 54 Views 0 Comments 5 min read

Description This KQL query lists all the different browsers that are used to successfully sign in to your Entra ID

January 22, 2024 Wayne Andes 47 Views 0 Comments 3 min read

Description The results of this KQL query provide the total number of incidents that have been triggered in your selected timeframe.