Cyber for all

Stay informed, stay secure, and stay one step ahead of adversaries with KQL

Incident Response PowerShell V2

DFIR PowerShell V2 The DFIR PowerShell script has gotten a major update! The script provides you with a single script to collect forensic artefacts on Windows devices. Whether you are responding to incidents with Security E5 licenses or without a security budget, this tool can be executed to collect the needed information to perform the first response. This blog will discuss the following items: What’s New in Version 2.0 SIEM Import Functionality Azure Data Explorer OpenTCPConnections Visualising Evidence Defender For Endpoint Live Response What’s New in Version 2.

KQL Security Sources - 2024 Update

It is great to see that more and more repositories, blogs and other sources share security related KQL content. Therefore this post provides an updated list of KQL Security Sources to start the new year. These sources can help you to kickstart your KQL knowledge for the upcoming year, by providing learning material, detection rules, hunting queries and many more. The image below shows the increase in KQL repositories and the adoption from the community, they are becoming more and more popular, due to companies shifting to Microsoft Security solutions.

Prioritize Vulnerabilities Using The CISA Known Exploited Vulnerabilities Catalog

Due to the sheer amount of vulnerabilities that are being discovered daily, it is difficult to prioritize. This blog will explore the potential of the CISA Known Exploited Vulnerabilities Catalog to help you patch the most needed assets. This is done by discussing KQL queries that can help to find the vulnerabilities that apply to your organisation and find the assets that need to be patched with priority. What is the CISA Known Exploited Vulnerabilities Catalog?

From Threat Report to (KQL) Hunting Query

Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query. This is done based on two #StopRansomware reports of the joint Cybersecurity Advisory (CSA).