Cyber for all

Stay informed, stay secure, and stay one step ahead of adversaries with KQL

Investigating Microsoft Graph Activity Logs

At the beginning of April (2024) Microsoft announced the general availability of the Microsoft Graph activity logs. The logs can be forwarded using the Azure Diagnostics settings in Entra ID, which will in most cases result in a populated MicrosoftGraphActivityLogs table in your log analytics workspace. This blog discusses the following topics: Microsoft Graph Activity Logs Content Effectively Querying The Graph API Logs Enriching Microsoft Graph Activity Logs Detecting Suspicious Activities Related Expert Blogs RequestUri Length Microsoft Graph activity logs content The MicrosoftGraphActivityLogs are an audit trail of all HTTP requests that the Microsoft Graph service received and processed for a tenant.

Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results

Automating incident response queries is one of the quick wins you can implement in Microsoft Sentinel. This allows you to automate incident enrichment and further investigations. The first blog of the Sentinel Automation Series will explain how you can quickly implement this in your environment. This is done based on automation rules and Playbooks (Logic Apps). Results To show the value of automatically enriching incidents two examples are discussed in this section; Device Enrichment and the listing of inbound connections.

Detecting Post-Exploitation Behaviour

The recent ScreenConnect vulnerability (CVE-2024-1709 & CVE-2024-1708) showed once more why it is so important to detect post-exploitation behaviour. @Huntress described in a detailed way which behaviour was identified, more on that is shared on their blog: SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708). The most important takeaway is mentioned in the last section most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding.

Incident Response PowerShell V2

DFIR PowerShell V2 The DFIR PowerShell script has gotten a major update! The script provides you with a single script to collect forensic artefacts on Windows devices. Whether you are responding to incidents with Security E5 licenses or without a security budget, this tool can be executed to collect the needed information to perform the first response. This blog will discuss the following items: What’s New in Version 2.0 SIEM Import Functionality Azure Data Explorer OpenTCPConnections Visualising Evidence Defender For Endpoint Live Response What’s New in Version 2.