Microsoft Realtime Intelligence: the array that wasn’t In a previous blog, I wrote about processing XML and that it's actually JSON after the first pass. So far, so good. But then I found out that not all data was returned. That's weird because it's really there. So, what's happening here? Follow me, and let's find out! The previous blog had this JSON as output: {"MainElement":{"SubLevel":[{"number":1,"type":"Type 1"},{"number":5,"type":"Type 2"},{"number":10,"type":"Type 3"}]}}

Blog alert!

This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.

#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineer

🛡️ Unit42 de Palo Alto ha publicado IOCs de #VoidLink, un framework de malware cloud-native con un directorio C2 abierto y solapamientos con el clúster CL-STA-1015.

#KQL lista para usar en Microsoft Defender:

Query completa en el link ▶️ github.com/alex-milla/K...

Kusto-loco using copilot to create KQL queries and charts

Still WIP but with the improvements in recent models I decided to resurrect the "copilot" support in kusto-loco. The aim is to get it to understand how to also use appinsights and remote capabilities as well as local data. #KQL

Microsoft Fabric Realtime Intelligence: Processing XML, or are you? I've been working for quite some time on a fun solution in Fabric Realtime Intelligence. We're processing XML files into a structured table. As you're probably aware, XML has its own... well, let's be nice and call them challenges. One thing I ran into was that an element contained several other elements. Usually, you'll see them in an array, but in this case, it wasn't.

Blog alert!

A short one this time, on a nice find processen XML data in Realtime Intelligence.

#MicrosoftFabric
#RealtimeIntelligence
#XML
#Kusto
#KQL
#EventHouse

bARGE - boosted Azure Resource Graph Explorer - Visual Studio Marketplace Extension for Visual Studio Code - bARGE is a boosted Azure Resource Graph Explorer for Visual Studio Code, with features for comparison and insights into KQL results.

bARGE is updated! Our favorite #VSCode #KQL extension for #Azure #ResourceGraph now supports

* Over 1000 rows (previous limit)
* Frozen header row when scrolling
* In-file query buttons with CodeLens
* Tabs to keep multiple query results

Check it out! 🏴‍☠️
marketplace.visualstudio.com/items?itemNa...

When you're ready to take your KQL to the next level: Advanced Must Learn KQL.

The book too large to print. eBook available now: https://amzn.to/4txG0qv

#MustLearnKQL #KQL #KQLMysteries

Running KQL queries on Microsoft Defender for Endpoint through Azure Automation In this post we will see how to run KQL queries on a Microsoft Defender for Endpoint through Azure Automation, PowerShell. and Graph API

Running KQL queries on Microsoft Defender for Endpoint through Azure Automation www.systanddeploy.co...

#MustLearnKQL #KQL #KQLMysteries

MCP permissions seem to be missing in #Entra portal so I made a quick #KQL detection to detect when MCP permissions are added:

github.com/jkerai1/KQL-...

Exciting News: Join the Beta for the Must Learn KQL Mobile App! Because Your Data Won't Query Itself... Unless It's Feeling Particularly Sassy Today!

We're looking for even more beta testers! Join the fun, get all the rewards! All you need is the link and an iOS device.

Exciting News: Join the Beta for the Must Learn KQL Mobile App! rodtrent.substack.co...

#MustLearnKQL #KQL #KQLMysteries

Exciting News: Join the Beta for the Must Learn KQL Mobile App! rodtrent.substack.co...

#MustLearnKQL #KQL #KQLMysteries

Analyzing Workload Identity Activity Through Token-Based Hunting This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filte...

[New blog post] Analyzing #MicrosoftEntra 🤖 Workload Identity Activity Through 🪙 Token-Based Hunting: I’ve published a #KQL function to hunt activities by tokens from non-human identities and share some experimental queries and insights in this article.
www.cloud-architekt.net/token-huntin...

Introducing the Must Learn KQL Learning Hub: Your AI-Powered Interactive KQL Companion rodtrent.substack.co...

#MustLearnKQL #KQL #KQLMysteries

Must Learn KQL now has its own APP!! Full blog post coming on Wednesday, but for those that like tinkering and digging into code, you can get it right now: github.com/rod-trent...

Free and open source.

#MustLearnKQL #KQL #KQLMysteries

🛠️ Kql Toolbox #5: Phishing & Malware Hunting Welcome back to KQL Toolbox 👋 In KQL Toolbox #1, we learned how to measure Microsoft Sentinel ingest and translate it into real operational dollars. In KQL Toolbox #2, we identified which data sources were driving that cost. In KQL Toolbox #3, we drilled all the way down to specific...

🛠️ Kql Toolbox #5: Phishing & Malware Hunting www.hanley.cloud/202...

#MustLearnKQL #KQL #KQLMysteries

🛠️ Kql Toolbox #4: What Changed? Finding Log Sources With The Biggest Delta In Volume & Cost Welcome back to KQL Toolbox 👋 In KQL Toolbox #1, we learned how to measure Microsoft Sentinel ingest and translate it into real dollars. In KQL Toolbox #2, we identified which data sources were driving that cost. And in KQL Toolbox #3, we drilled all the way down to specific...

🛠️ Kql Toolbox #4: What Changed? Finding Log Sources With The Biggest Delta In Volume & Cost www.hanley.cloud/202...

#MustLearnKQL #KQL #KQLMysteries

FileMaliciousContentInfo table in the advanced hunting schema - Microsoft Defender XDR Learn about the FileMaliciousContentInfo table of the advanced hunting schema

𝗙𝗶𝗹𝗲𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀𝗖𝗼𝗻𝘁𝗲𝗻𝘁𝗜𝗻𝗳𝗼 is a newly introduced 🔍 #AdvancedHunting table for 🛡️ Microsoft Defender for Office 365, currently available in 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗲𝘃𝗶𝗲𝘄.

🔗 More info: learn.microsoft.com/en-us/defend...

#MicrosoftSecurity #MicrosoftDefender #DefenderXDR #KQL #KustoQuery

🛠️ Kql Toolbox #3: Which Event Id Noises Up Your Logs (and Who’s Causing It)? Welcome back to KQL Toolbox 👋 Welcome back to the DevSecOpsDad KQL Toolbox series! In the last entry KQL Toolbox #2, we zoomed in on log source cost drivers—using _IsBillable and _BilledSize to identify which tables, severities, and Event IDs were burning the most money in Microsoft Sentinel. 👉 This...

🛠️ Kql Toolbox #3: Which Event Id Noises Up Your Logs (and Who’s Causing It)? www.hanley.cloud/202...

#MustLearnKQL #KQL #KQLMysteries #MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR

Microsoft Intune: Analyze Intune Logs with Kusto Query Language (KQL)!
@microsoft.com @mvpaward.bsky.social @msintune.bsky.social #Microsoft #kql #intune #mvpbuzz #coolstuff
👇👇👇👇
github.com/tomwechsler/...

🛠️ Kql Toolbox #1: Track & Price Your Microsoft Sentinel Ingest Costs KQL Toolbox is officially live! As part of this new KQL Toolbox series, I bring you practical, reusable KQL snippets straight from the trenches of real-world Microsoft Sentinel work. Think of it as your regular “KQL vitamin:” small dose, big impact. And today we’re kicking things off with the one...

🛠️ Kql Toolbox #1: Track & Price Your Microsoft Sentinel Ingest Costs www.hanley.cloud/202...

#MustLearnKQL #KQL #KQLMysteries #MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR

KustoHawk is a PowerShell triage tool for Defender XDR/Sentinel that runs Graph API runHuntingQuery KQL across environments, aggregates device and identity hits, and exports HTML/CSV for investigations. #tool #KQL #DefenderXDR https://bit.ly/48C7mmV

Finding and Writing KQL Queries with the Model Context Protocol If you work with Microsoft security products, you've probably spent time writing KQL queries. You might search through documentation, look at examples on GitHub, or copy queries from colleagues. KQL-Search-MCP Server makes this easier by bringing query search and generation directly into AI assistants like Claude Desktop, GitHub Copilot, ChatGPT

Finding and Writing KQL Queries with the Model Context Protocol sentinel.blog/findin...

#MustLearnKQL #KQL #KQLMysteries

🎙️ Avec Yoan Schinck sur le threat hunting en KQL!

Au menu:
• Workshop threat hunting dans Microsoft Sentinel
• Détection d'abus de comptes de service

🎧 Web: bit.ly/4oBulU1
🎧 Spotify: bit.ly/4iFhO0a
🎧 YouTube: bit.ly/48z6649

#Cybersécurité #ThreatHunting #KQL #SOC

Watching the session from @ericberg.de at #CloudBrew ! Nice talk about #Azure #Monitor with #Copilot and #KQL!

Day 6 of our Education Advent! ⚡
Kusto Query Language powers fast, scalable real-time analytics.

📘 KQL basics: learn.microsoft.com/azure/data-e...

📝 Community intro by #KQL experts: kusto.blog

What I was writing one year ago today...

The KQL Mysteries Season 1: Chapter 2 rodtrent.substack.co...

#MustLearnKQL #KQL #KQLMysteries

Who remembers from 2 years ago when I combined fiction with KQL?

The KQL Mysteries Season 1: Chapter 1 rodtrent.substack.co...

#MustLearnKQL #KQL #KQLMysteries

Black Friday Mega savings on KQL courses for threat hunting, detection engineering, and incident response.

🔥 #BlackFriday discounts are live🔥
➤ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.

#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec

👉academy.bluraven.io/blackfriday2...

Release v1.4.0 · NeilMacMullen/kusto-loco Core implement ipv4_is_private - thanks to @Null0x47 🚀 Fix issue where timespans over 24d were not serialised correctly by ParquetSerializer Remove Nlog dependency Update other dependencies

It's been a while but new Kusto-Loco release. Not a lot of changes in this but it does fix a minor issue with TimeSpan serialisation for Parquet files...

#KQL

github.com/NeilMacMulle...

Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.

github.com/lorisAmbrozz...

Mastering Microsoft Entra Authentication Contexts - Part 4: Monitoring and Reporting with KQL & M365IdentityPosture We’ve covered what Authentication Contexts are, why they matter, and how they help us strengthen access and data security in Microsoft 365.Now it’s time to answer the next question - how do we monito...

The final part in my Entra Authentication Contexts series is out! Learn how to monitor & report with KQL and a new PowerShell module, M365IdentityPosture. Gain visibility, track usage and strengthen governance.

👉 www.chanceofsecurity.com/post/masteri...

#MSEntra #PowerShell #KQL #M365Security