/images/logo.png

Cyber for all

Stay informed, stay secure, and stay one step ahead of adversaries with KQL

UAL = Unaligned Activity Logs

The unified audit log is a centralized repository for M365 user and admin activities. The activities originate from different applications, such as Exchange, Teams, SharePoint, Azure, OneDrive and Defender XDR. In this blog, we compare four different ways to acquire and investigate the unified audit logs (UAL): Purview Audit Search Defender For Cloud Apps CloudAppEvents Logs Sentinel OfficeActivity Logs Invictus Incident Response Microsoft Extractor Suite There is another approach to acquire the UAL logs, which is not included in this blog.

Unleash The Power Of DeviceTvmInfoGathering

The DeviceTvmInfoGathering table in Defender XDR is one of the understudied tables of Defender For Endpoint. With only the small amount of four listings from Alex Verboon on kqlsearch.com before researching this table. This blog explores the uncovered potential of this table, because this will help you a lot to get quick insights into the configuration Defender For Endpoint on your devices! DeviceTvmInfoGathering listings kqlsearch.com While the table serves little detection value, it is extremely useful to get insights into the Defender For Endpoint configuration of your devices.

Use Cases For Sentinel Summary Rules

Microsoft has announced a new Sentinel feature: Summary Rules. Those rules are aimed at aggregating large sets of data in the background for a smoother security operations experience across all log tiers (Documentation). This blog describes multiple use cases to get started with this new feature. I just want to have the queries! GitHub Sentinel Summary Rules. Use Cases You might question the use cases related to summary rules. First, it is good to know that summary rules are closely related to the summarize operator.

Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications

The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities, as an end user you want to be notified when a new vulnerability is added. This blog describes four different solutions in Microsoft Sentinel to automate the notification process, leaving you with the important task of analyzing this new threat. The four automation solutions presented in this blog are: Email notifications Teams channel notifications Sentinel incidents Sentinel Analytics Rule Both the Logic App and the Analytics Rule are available on GitHub.