Explore Microsoft Defender for Endpoint timeline internals, OneCyber telemetry, MITRE mapping, and DFIR workflows using exported timeline data, jq and KQL.

Learn how to monitor new actions in Microsoft Sentinel and Defender XDR with KQL, Logic Apps, and Graph API. Automate weekly reports and improve SOC detection engineering.

What started as a single blog in 2023 is now becoming a yearly tradition. Each year, the KQL community expands with new repositories and queries. The list does not cover just security, but also Intune, Entra, and Azure Monitor. This year, an extra step is taken to remove some AI generated slop repositories from the list to share correct example repositories. Happy New Year to all of you! Highlights #100DaysOfKQL Starting the highlights of this year with the #100DaysOfKQL series done by SecurityAura.

The new GraphApiAuditEvents table in Advanced Hunting have been in Public Preview since July this year. These valuable logs give new insights into the activities that are performed using the Graph API in your tenant, which makes it a table you definitly want to explore in the upcoming weeks. The GraphApiAuditEvents table is the ‘free’ version of the MicrosoftGraphActivityLogs table that was available in Sentinel. The GraphApiAuditEvents enables more organizations to use these valuable logs without burning their budget.

Logic Apps allow organizations to easily automate processes, in the last blog the APIs to run KQL are discussed. This blog builds upon the knowledge of the previous blog and explains how the Graph API, Azure Monitor API and Defender ATP API can also be integrated into Logic Apps. If you do not run automation solutions via Logic Apps and Sentinel yet, I highly recommend having a look at the previous blogs and Logic Apps below to get an idea of what the possibilities are.

In today’s blog, we’re diving into the world of hunting through APIs. In the blog, the advantages, limitations, and scopes of the Graph API, Azure Monitor API, and Defender ATP API are discussed. For all of these solutions, a ready-to-use PowerShell script is shared. These APIs can enhance security operations, automate threat detection, and enable bigger automation potential. In this blog the following topics are discussed: Available Data Permissions API Limitations Hunting Through PowerShell Hunting the Hunters The next blog explains how these APIs can be used in Logic Apps, so stay tuned for the next one!