#KQL query that looks for network connections to these domains via #MDE DeviceNetworkEvents (Connection or DNS Query).

https://github.com/SecurityAura/DE-TH-Aura/blob/main/Defender%20for%20Endpoint/ExternalData%20-%20Network%20Connection%20to%20Tycoon2FA%20Domain.md

Huge thanks to @racwatchin8872 for making the data available in a way that can be accessed via externaldata 🙏

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules🕵️‍♂️

https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

#infosec #cybersecurity #threatintel #threathunting #azure #sentinel #kql

Use an Azure Managed Identity for Fluent Bit’s Azure Data Explorer output plugin on Azure Kubernetes Service https://www.danielstechblog.io/use-an-azure-managed-identity-for-fluent-bits-azure-data-explorer-output-plugin-on-azure-kubernetes-service/ #Azure #AKS #AzureKubernetesService #Kubernetes #AzureDataExplorer #ADX #KQL #FluentBit

🚨 Test your Lateral Movement investigation skills!

I have just added a new challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course!

You can even test your AI agents' skills 😉

#KQL#Kusto#MicrosoftSentinel#MicrosoftDefender

https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis

🐣 HAPPY EASTER CAPSTONE! 🛡️

My KQL courses now include a complete attack scenario to test your skills — end to end.

🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇

#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR

https://academy.bluraven.io

🎁 NEW UPDATE:

I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.

More will be coming soon!

#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
👇
https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis

🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!

Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!

https://academy.bluraven.io/course/introduction-to-kql-for-security-analysis

#KQL #Kusto #ThreatHunting #Infosec

Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!

https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL

Enhance #CopilotStudio with actionable insights! 📊 From tracking engagement to identifying bottlenecks, these KQL queries in Azure Application Insights empower your bot to perform at its best. Optimize today for a smarter tomorrow! #KQL #AI #Azure

http://mytrial365.com/2025/03/04/using-kql-for-monitoring-and-optimizing-microsoft-copilot-studio/

If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.

#cybersecurity #microsoft

From: @fabian_bader
https://infosec.exchange/@fabian_bader/114013896376345681

Hunt for signins using device code flow, requesting the Device Registration Service and registering a new Entra ID device as the result

#DeviceCodeFlow #Entra #Security #KQL

https://github.com/f-bader/AzSentinelQueries/blob/master/Defender%20XDR/SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md

💙 Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL 💙
Code: VLTN30
Valid until 17.02

https://academy.bluraven.io/

#ThreatHunting

Using Optional parameter if not configured in Azure Monitor workbooks with KQL query https://cloudadministrator.net/2025/02/05/using-optional-parameter-if-not-configured-in-azure-monitor-workbooks-with-kql-query/ #Azure #AzureMonitor #KQL #AzureLogAnalutics #LogAnalytics #AzureMonitorWorkbooks

Blog Alert!

Let's dig into #KQL and see some differences with #SQL to learn for the #MicrosoftLearn #DP700 certification

http://sqlreitse.com/2025/01/21/dp-700-certification-process-data-using-kql/

Sentinel Tip - Use Custom Functions: Create custom functions to reuse common query logic across multiple rules. Custom functions improve consistency and reduce redundancy. #CustomFunctions #Consistency #Efficiency #KQL

In today's digital landscape, email remains a primary vector for data exfiltration and cyberattacks. With the increasing sophistication of threats, it's crucial for organizations to have robust mechanisms in place to detect and respond to unusual email activities. Microsoft Sentinel, with its powerful threat detection capabilities, provides the perfect platform for monitoring and securing your email communications. #365 #activity #attack #inbox #kql #logs

https://azuretracks.com/?p=2584

Use Fluent Bit for Kubernetes events gathering on Azure Kubernetes Service https://www.danielstechblog.io/use-fluent-bit-for-kubernetes-events-gathering-on-azure-kubernetes-service/ #Azure #AKS #AzureKubernetesService #Kubernetes #AzureDataExplorer #ADX #KQL #FluentBit

NO-BREAK SPACE unicode characters in the display name are not something your average M365 users use.

So better look into #Teams chat messages from those users.

#SecurityTip #KQL

https://github.com/f-bader/AzSentinelQueries/blob/master/Defender%20XDR/SuspiciousTeamsMessagesBasedOnUnicodeInDisplayName.md

Nice blog post providing insight on using #zeek capabilities in #MDE : https://falconforce.nl/detection-engineering-rabbit-holes-parsing-asn-1-packets-in-kql/ #DFIR #blueteam #KQL

Getting a bit frustrated with events that do not consistently end up in the logs #kql #sentinel #mde