Discover and read the best of Twitter Threads about #KQL

Most recents (7)

New #KQL queries.

1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed

For queries see below! Happy hunting! 🏹

#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Based on the tweet from @malmoeb and research from @Mandiant, identify rare executables in the C:\Users\Public\* folders.

github.com/Bert-JanP/Hunt…

2. github.com/Bert-JanP/Hunt…
Read 3 tweets
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Read 14 tweets
Configuring Windows firewall on your workstation fleet is an underrated security improvement - those devices shouldn't be talking to each other on a lot of the same ports often used for lateral movement. I wrote some #KQL to help build firewall rules out without breaking things.
Find devices that have had no inbound SMB in the last 30 days - github.com/reprise99/Sent…
Find devices that have had no inbound HTTP in the last 30 days - github.com/reprise99/Sent…
Read 6 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
Read 6 tweets
🔥Pivot is probably one of the underutilized but very powerful #dataanalysis operator in #KQL

👉Like PivotTable in Excel it creates aggregated views on categorical data for analysis to spot any unusual patterns across multiple columns 🧵👇

Refer doc : docs.microsoft.com/en-us/azure/da…
👀Simple example of Pivot View of Successful Logons tabular data

👉No of unique users logging per hour across LogonTypes. 👇 Image
💪Now taking the power of pivot to next level.

🤔 Ever wanted to parse complex windows XML format but tired of manually parsing out individual columns per eventID.

😎Let`s see pivot in action parsing windows XML in EventData column dynamically with #KQL

cc @Cyb3rWard0g Image
Read 4 tweets
💥Highlights from my #KQL talk @Grayhat_Con @BlueTeamVillage in case you missed

📌Slides :
github.com/ashwin-patil/b…

📌GitHub - KQL Queries:
github.com/ashwin-patil/b…

🧵👇
🤔 Why you should learn Query language ?
Multiple Products - Varying KQL Support.

👀Always check documentation for support
docs.microsoft.com/en-us/azure/az…
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!