If you query data that contains IP addresses this blog is something for you! It does not matter if you are a SOC Analyst, Detection Engineer, Network Engineer or a Developer all the logs that you use on a daily basis will contain IP addresses. This can be in Sentinel, Defender For Endpoint, Application Insights, Azure Firewall and many other sources. This blog will discuss some basic network related operations, before diving into useful network related KQL functions.

This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint. The incident response series consists of the following parts:

The second part of the Incident Response series is here! In the last blog, we were lucky enough to have the logs already available in Microsoft 365 Defender or Sentinel. But what could you do if you do not ingest the logs in your SIEM or it is not logged by your EDR? This blog will explain how you can still perform incident response using KQL. Spoiler: Azure Data Explorer is your best friend!

It always happens on Friday afternoon, a high severity incident is created just before you want to start your weekend. After you have triaged the incident you suspect that an threat actor gained access to your environment. From that moment questions are starting to pop up in your head; what happened on this device? Are more devices impacted? What do I need to do to contain the incident? Will I be in time for dinner with my wife?