Discover and read the best of Twitter Threads about #kql
Most recents (7)
New #KQL queries.
1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed
For queries see below! Happy hunting! 🏹
#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed
For queries see below! Happy hunting! 🏹
#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Based on the tweet from @malmoeb and research from @Mandiant, identify rare executables in the C:\Users\Public\* folders.
github.com/Bert-JanP/Hunt…
2. github.com/Bert-JanP/Hunt…
github.com/Bert-JanP/Hunt…
2. github.com/Bert-JanP/Hunt…
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Configuring Windows firewall on your workstation fleet is an underrated security improvement - those devices shouldn't be talking to each other on a lot of the same ports often used for lateral movement. I wrote some #KQL to help build firewall rules out without breaking things.
Find devices that have had no inbound SMB in the last 30 days - github.com/reprise99/Sent…
Find devices that have had no inbound HTTP in the last 30 days - github.com/reprise99/Sent…
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
🔥Pivot is probably one of the underutilized but very powerful #dataanalysis operator in #KQL
👉Like PivotTable in Excel it creates aggregated views on categorical data for analysis to spot any unusual patterns across multiple columns 🧵👇
Refer doc : docs.microsoft.com/en-us/azure/da…
👉Like PivotTable in Excel it creates aggregated views on categorical data for analysis to spot any unusual patterns across multiple columns 🧵👇
Refer doc : docs.microsoft.com/en-us/azure/da…
👀Simple example of Pivot View of Successful Logons tabular data
👉No of unique users logging per hour across LogonTypes. 👇
👉No of unique users logging per hour across LogonTypes. 👇
💪Now taking the power of pivot to next level.
🤔 Ever wanted to parse complex windows XML format but tired of manually parsing out individual columns per eventID.
😎Let`s see pivot in action parsing windows XML in EventData column dynamically with #KQL
cc @Cyb3rWard0g
🤔 Ever wanted to parse complex windows XML format but tired of manually parsing out individual columns per eventID.
😎Let`s see pivot in action parsing windows XML in EventData column dynamically with #KQL
cc @Cyb3rWard0g
💥Highlights from my #KQL talk @Grayhat_Con @BlueTeamVillage in case you missed
📌Slides :
github.com/ashwin-patil/b…
📌GitHub - KQL Queries:
github.com/ashwin-patil/b…
🧵👇
📌Slides :
github.com/ashwin-patil/b…
📌GitHub - KQL Queries:
github.com/ashwin-patil/b…
🧵👇
🤔 Why you should learn Query language ?
Multiple Products - Varying KQL Support.
👀Always check documentation for support
docs.microsoft.com/en-us/azure/az…
👀Always check documentation for support
docs.microsoft.com/en-us/azure/az…
