Advertisement Β· 728 Γ— 90

Posts by BertJanCyber

Preview
KQL Cafe - April 2025, Tue, Apr 29, 2025, 6:00 PM | Meetup Hi Kusto Fans, Another month another [KQL Cafe](https://kqlcafe.com/#upcoming-shows) session. As usual we cover what is new in KQL and what we did with KQL in the last mont

Are you joining The KQL Cafe (@kqlcafe.bsky.social) next week? I will be talking about #KQL, Logic Apps, APIs and a combination of the three during the session.

Interested? Register here: www.meetup.com/kql-cafe/eve...

πŸ“… When: April 29 18:00 - 19:30 (CET)
πŸ–₯️ Where: Online
πŸ’° Cost: Free of charge

11 months ago 1 0 0 0
Preview
Hunting-Queries-Detection-Rules/Defender For Cloud Apps/OAuthAppInfo at main Β· Bert-JanP/Hunting-Queries-Detection-Rules KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

Microsoft announced the public preview of the OAuthAppInfo table in the Advanced Hunting schema. I created multiple #KQL queries to help you kick-start the usage of this table.πŸš€

The queries help you to identify high-permissive, unused and external apps.

github.com/Bert-JanP/Hu...

1 year ago 1 0 0 0
https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%20100%20-%20CScript.exe%2C%20WScript.exe%20or%20MSHTA.exe%20Executed%20from%20Web%20Browser%20Process.md

#100DaysOfKQL

Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process

IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.

(cont)

t.co/lwO1hmrqUk

1 year ago 5 1 2 0

Pushed a #KQL that returns the top 10 SecurityEvents with the largest ingestion size. This can help determine which events you may want to aggregate or filter, depending on your detection/forensic needs.

github.com/Bert-JanP/Hu...

1 year ago 3 0 0 0
Post image

It's time to prepare some content for the next
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.

The session is on April 29th and is completely free to attend online.

πŸ—“οΈEvent registration & details: www.meetup.com/kql-cafe/

1 year ago 5 2 0 0
Post image

On my way to #ELDK2025 πŸ‡©πŸ‡°
First stop Hamburg! πŸ‡©πŸ‡ͺ

1 year ago 1 0 0 0
Preview
GitHub - Bert-JanP/Incident-Response-Powershell: PowerShell Digital Forensics & Incident Response Scripts. PowerShell Digital Forensics & Incident Response Scripts. - Bert-JanP/Incident-Response-Powershell

πŸ›‘οΈReleased DFIR PowerShell V3!

New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API

github.com/Bert-JanP/In...

1 year ago 4 0 0 0

What EndpointCall do you use for these detections? Or do you only rely on SignInLogs for device code auth?

1 year ago 0 0 1 0
Advertisement

I am aware, that is most often the case for the phishing flow. But this scenario focusses more on the flow of accessing management apis from unmanaged devices using device code auth.

1 year ago 1 0 0 0
Post image Post image

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

1 year ago 5 3 2 0
Microsoft Expanded Cloud Logs Implementation Playbook | CISA

If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.

The report includes KQL, SPL and Powershell code to perform incident response.

www.cisa.gov/resources-to...

1 year ago 4 1 0 0
Post image Post image Post image

These two mails keep providing great value to list new actions found in a tenant. Very useful to find new detection & hunting potential, anomalies or just to understand your data better.
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...

1 year ago 3 1 0 0
Post image

πŸ“¬ Have you checked latest Kusto Insights by @ugurkoc.de & @bertjancyber.bsky.social

πŸ—“ December update is available now kustoinsights.substack.com/p/kusto-insi...

#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity

1 year ago 2 1 0 0

Created a #KQL hunting query to list the initial LDAPNightmare exploit (CVE-2024-49113) connection. With this, you can hunt for both successful and failed exploitation attempts 🏹

github.com/Bert-JanP/Hu...

1 year ago 1 0 0 0
KQL Sources - 2025 Update What started as a single blog is now becomming a yearly trend. More and more KQL related repositories are created, not only with focus on security but also Intune, Entra and Azure Monitor related quer...

A new tradition has been born, the yearly KQL Community Sources list for 2025 has been published!

Happy hunting this year! 🏹

kqlquery.com/posts/kql-so...

1 year ago 7 4 0 0

That deployment pipeline is not finished yet :D

1 year ago 1 0 0 0
Post image

It has been a good day. πŸ˜…

Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)

learn.microsoft.com/en-us/azure/...

1 year ago 2 0 1 0
IOC hunting at scale The KQL External Data operator might be the holiday gift for you! This powerful capability enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP F...

NEW BLOG! 🚨

IOC hunting at scale using externaldata().

The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds

kqlquery.com/posts/extern...

1 year ago 0 0 0 0
Advertisement

1. github.com/Bert-JanP/Hu...
2. github.com/Bert-JanP/Hu...
3. github.com/Bert-JanP/Hu...
4. github.com/Bert-JanP/Hu...

1 year ago 1 0 0 0
Preview
GitHub - Bert-JanP/Hunting-Queries-Detection-Rules: KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom... KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

Latest #KQL additions:
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧡
github.com/Bert-JanP/Hu...

1 year ago 2 1 1 0
Preview
GitHub - Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such ... This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. - Bert-JanP/Open-Sourc...

Pushed some new VPN and TOR feeds to the list.

github.com/Bert-JanP/Op...

1 year ago 3 1 0 0
Post image

Anyone already seen the column ThreatClassification land in their tenant? The column will be added to the EmailEvents table.

Source: techcommunity.microsoft.com/blog/microso...

1 year ago 3 0 1 0
Preview
Kusto Insights - November Update Welcome to a new Monthly Update.

It is time for the monthly Kusto Insights newsletter! πŸ“°

open.substack.com/pub/kustoins...

1 year ago 1 0 0 0

Time to get a #KQL query from the shelve: Potential Adversary in the middle Phishing

If you have High-Risk users and axios useragents in the results please revoke some sessions.

🏹 github.com/Bert-JanP/Hu...

Query is available for both SigninLogs and AADSignInEventsBeta.

1 year ago 6 2 0 0
Preview
a man wearing a hat and a tank top with the word hello below him ALT: a man wearing a hat and a tank top with the word hello below him
1 year ago 9 0 2 1