+ SECURE \ Kusto Query Language

April 8, 2024 Wayne Andes 76 Views 0 Comments 28 min read

Hunt For Suspicious SMB Sessions

SMB can be used in various ways by attackers, such as accessing remote shares, transfering files, interacting with systems using

March 25, 2024 Wayne Andes 64 Views 0 Comments 3 min read

Description Collect the top 10 user with the most IP used to successfully sign in to a tenant. This KQL

March 18, 2024 Wayne Andes 54 Views 0 Comments 2 min read

Description This KQL query can be used to display all Guest users in the tenant who have Azure Active Directory

March 11, 2024 Wayne Andes 72 Views 0 Comments 2 min read

Description This KQL query lists the incidents that are automatically closed by Microsoft Defender XDR. It is good practice to

March 4, 2024 Wayne Andes 77 Views 0 Comments 6 min read

Description This KQL query detects successful sign-ins from countries that have not been seen before. Depending on where you run

February 26, 2024 Wayne Andes 80 Views 0 Comments 37 min read

PowerShell can be used encoded to obfuscate the commands that have been executed. An attacker can choose encoding to hide

February 19, 2024 Wayne Andes 85 Views 0 Comments 26 min read

This Threat Hunting case is based on the DeviceNetworkEvents table. The goal is to find malicious HTTP traffic. Step 1:

February 12, 2024 Wayne Andes 64 Views 0 Comments 5 min read

Description This KQL query identifies the users that are currently at risk. Based on that it performs a lookup on

February 5, 2024 Wayne Andes 52 Views 0 Comments 5 min read

Description This KQL query can be used to detect rare operating systems that are used to sign into your tenant.