In today’s blog, we’re diving into the world of hunting through APIs. In the blog, the advantages, limitations, and scopes of the Graph API, Azure Monitor API, and Defender ATP API are discussed. For all of these solutions, a ready-to-use PowerShell script is shared. These APIs can enhance security operations, automate threat detection, and enable bigger automation potential. In this blog the following topics are discussed: Available Data Permissions API Limitations Hunting Through PowerShell Hunting the Hunters The next blog explains how these APIs can be used in Logic Apps, so stay tuned for the next one!

With ClickFix being one of the popular delivery methods for malware, infostealers and state-sponsored hackers it is time to share a blog on investigating these incidents using Defender For Endpoint. In ClickFix campaigns a fake (captcha) message is displayed forcing users to validate that they are human. The ‘validation’ executes a malicious command using Windows + Run. The topic discussed in this blog: Initial Compromise The Incident Device Timeline ClickFix Triage Query Next Steps Detection Possibilities Initial Compromise In the simulated ClickFix scenario the user John Davis visited the page as seen below on the lookout for content related to cloud robots.

Sometimes I get the question, how can I keep up with all the new actions that are added to our security solutions? This question is very valid, as identifying potential (new) threats and detection capabilities is crucial. This blog will explain and share a solution to get weekly reports on all the newly logged actions in Sentinel and Defender For Endpoint that are found in your tenant. This proactive approach helps to understand your data and enables organizations to identify patterns, anomalies, and potential indicators of compromise.

What started as a single blog is now becoming a yearly trend. More and more KQL related repositories are created, not only with a focus on security but also Intune, Entra and Azure Monitor related queries. Dive in and discover how these new additions can help you tackle challenges or give you new ideas for the new year. Happy New Year to all of you! KQL Sources Link Description kqlsearch.com KQL Search Engine Kusto Insights Newsletter Kusto Insights newsletter The Definitive Guide to KQL Using Kusto Query Language for Operations, Defending, and Threat Hunting Kusto Query Internals Hunting TTPs with Azure Sentinel Microsoft Sentinel Analytics Rules Exchange Microsoft Sentinel Analytics Rules GitHub Repositories KQL Community Repositories Link Description Stars Azure Sentinel Repository - Azure Cloud-native SIEM for intelligent security analytics for your entire enterprise Sentinel-Queries - reprise99 Collection of KQL queries Falcon Friday - FalconForceTeam Hunting queries and detections Threat-Hunting-and-Detection - Cyb3r-Monk Repository for threat hunting and detection queries, etc.