Cyber for all

Stay informed, stay secure, and stay one step ahead of adversaries with KQL

Prioritize Vulnerabilities Using The CISA Known Exploited Vulnerabilities Catalog

Due to the sheer amount of vulnerabilities that are being discovered daily, it is difficult to prioritize. This blog will explore the potential of the CISA Known Exploited Vulnerabilities Catalog to help you patch the most needed assets. This is done by discussing KQL queries that can help to find the vulnerabilities that apply to your organisation and find the assets that need to be patched with priority. What is the CISA Known Exploited Vulnerabilities Catalog?

From Threat Report to (KQL) Hunting Query

Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query. This is done based on two #StopRansomware reports of the joint Cybersecurity Advisory (CSA).

KQL Functions For Network Operations

If you query data that contains IP addresses this blog is something for you! It does not matter if you are a SOC Analyst, Detection Engineer, Network Engineer or a Developer all the logs that you use on a daily basis will contain IP addresses. This can be in Sentinel, Defender For Endpoint, Application Insights, Azure Firewall and many other sources. This blog will discuss some basic network related operations, before diving into useful network related KQL functions.

Incident Response Part 3: Leveraging Live Response

This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint. The incident response series consists of the following parts: