Author | Lightnews

BertJanCyber @bertjancyber.bsky.social · Apr 22

Are you joining The KQL Cafe (@kqlcafe.bsky.social) next week? I will be talking about #KQL, Logic Apps, APIs and a combination of the three during the session.

Interested? Register here: www.meetup.com/kql-cafe/eve...

📅 When: April 29 18:00 - 19:30 (CET)
🖥️ Where: Online
💰 Cost: Free of charge

KQL Cafe - April 2025, Tue, Apr 29, 2025, 6:00 PM | Meetup

Hi Kusto Fans, Another month another [KQL Cafe](https://kqlcafe.com/#upcoming-shows) session. As usual we cover what is new in KQL and what we did with KQL in the last mont

www.meetup.com

1

BertJanCyber @bertjancyber.bsky.social · Apr 14

Microsoft announced the public preview of the OAuthAppInfo table in the Advanced Hunting schema. I created multiple #KQL queries to help you kick-start the usage of this table.🚀

The queries help you to identify high-permissive, unused and external apps.

github.com/Bert-JanP/Hu...

Hunting-Queries-Detection-Rules/Defender For Cloud Apps/OAuthAppInfo at main · Bert-JanP/Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

github.com

1

Reposted by BertJanCyber

securityaura.bsky.social @securityaura.bsky.social · Apr 13

#100DaysOfKQL

Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process

IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.

(cont)

t.co/lwO1hmrqUk

https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%20100%20-%20CScript.exe%2C%20WScript.exe%20or%20MSHTA.exe%20Executed%20from%20Web%20Browser%20Process.md

t.co

2 1 5

BertJanCyber @bertjancyber.bsky.social · Apr 12

Pushed a #KQL that returns the top 10 SecurityEvents with the largest ingestion size. This can help determine which events you may want to aggregate or filter, depending on your detection/forensic needs.

github.com/Bert-JanP/Hu...

github.com

3

BertJanCyber @bertjancyber.bsky.social · Mar 31

It's time to prepare some content for the next
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.

The session is on April 29th and is completely free to attend online.

🗓️Event registration & details: www.meetup.com/kql-cafe/

2 5

BertJanCyber @bertjancyber.bsky.social · Mar 3

On my way to #ELDK2025 🇩🇰
First stop Hamburg! 🇩🇪

1

BertJanCyber @bertjancyber.bsky.social · Feb 27

🛡️Released DFIR PowerShell V3!

New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API

github.com/Bert-JanP/In...

GitHub - Bert-JanP/Incident-Response-Powershell: PowerShell Digital Forensics & Incident Response Scripts.

PowerShell Digital Forensics & Incident Response Scripts. - Bert-JanP/Incident-Response-Powershell

github.com

4

BertJanCyber @bertjancyber.bsky.social · Feb 18

What EndpointCall do you use for these detections? Or do you only rely on SignInLogs for device code auth?

1

BertJanCyber @bertjancyber.bsky.social · Feb 18

I am aware, that is most often the case for the phishing flow. But this scenario focusses more on the flow of accessing management apis from unmanaged devices using device code auth.

1

BertJanCyber @bertjancyber.bsky.social · Feb 17

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

2 3 5

BertJanCyber @bertjancyber.bsky.social · Jan 20

If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.

The report includes KQL, SPL and Powershell code to perform incident response.

www.cisa.gov/resources-to...

Microsoft Expanded Cloud Logs Implementation Playbook | CISA

www.cisa.gov

1 4

BertJanCyber @bertjancyber.bsky.social · Jan 20

These two mails keep providing great value to list new actions found in a tenant. Very useful to find new detection & hunting potential, anomalies or just to understand your data better.
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...

1 3

Reposted by BertJanCyber

ᴍɪᴄʜᴀʟɪs ᴍɪᴄʜᴀʟᴏs @cyb3rmik3.bsky.social · Jan 12

📬 Have you checked latest Kusto Insights by @ugurkoc.de & @bertjancyber.bsky.social

🗓 December update is available now kustoinsights.substack.com/p/kusto-insi...

#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity

1 2

BertJanCyber @bertjancyber.bsky.social · Jan 6

Created a #KQL hunting query to list the initial LDAPNightmare exploit (CVE-2024-49113) connection. With this, you can hunt for both successful and failed exploitation attempts 🏹

github.com/Bert-JanP/Hu...

github.com

1

BertJanCyber @bertjancyber.bsky.social · Jan 2

A new tradition has been born, the yearly KQL Community Sources list for 2025 has been published!

Happy hunting this year! 🏹

kqlquery.com/posts/kql-so...

KQL Sources - 2025 Update

What started as a single blog is now becomming a yearly trend. More and more KQL related repositories are created, not only with focus on security but also Intune, Entra and Azure Monitor related quer...

kqlquery.com

4 7

BertJanCyber @bertjancyber.bsky.social · Dec 23

That deployment pipeline is not finished yet :D

1

BertJanCyber @bertjancyber.bsky.social · Dec 23

It has been a good day. 😅

Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)

learn.microsoft.com/en-us/azure/...

1 2

BertJanCyber @bertjancyber.bsky.social · Dec 18

NEW BLOG! 🚨

IOC hunting at scale using externaldata().

The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds

kqlquery.com/posts/extern...

IOC hunting at scale

The KQL External Data operator might be the holiday gift for you! This powerful capability enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP F...

kqlquery.com

1

BertJanCyber @bertjancyber.bsky.social · Dec 10

1. github.com/Bert-JanP/Hu...
2. github.com/Bert-JanP/Hu...
3. github.com/Bert-JanP/Hu...
4. github.com/Bert-JanP/Hu...

github.com

1

BertJanCyber @bertjancyber.bsky.social · Dec 10

Latest #KQL additions:
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧵
github.com/Bert-JanP/Hu...

GitHub - Bert-JanP/Hunting-Queries-Detection-Rules: KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom...

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

github.com

1 1 2

BertJanCyber @bertjancyber.bsky.social · Dec 7

Pushed some new VPN and TOR feeds to the list.

github.com/Bert-JanP/Op...

GitHub - Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such ...

This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. - Bert-JanP/Open-Sourc...

github.com

1 3

BertJanCyber @bertjancyber.bsky.social · Dec 6

Anyone already seen the column ThreatClassification land in their tenant? The column will be added to the EmailEvents table.

Source: techcommunity.microsoft.com/blog/microso...

1 3

BertJanCyber @bertjancyber.bsky.social · Dec 3

It is time for the monthly Kusto Insights newsletter! 📰

open.substack.com/pub/kustoins...

Kusto Insights - November Update

Welcome to a new Monthly Update.

open.substack.com

1

BertJanCyber @bertjancyber.bsky.social · Dec 2

Time to get a #KQL query from the shelve: Potential Adversary in the middle Phishing

If you have High-Risk users and axios useragents in the results please revoke some sessions.

🏹 github.com/Bert-JanP/Hu...

Query is available for both SigninLogs and AADSignInEventsBeta.

2 6

BertJanCyber @bertjancyber.bsky.social · Dec 2

a man wearing a hat and a tank top with the word hello below him

ALT: a man wearing a hat and a tank top with the word hello below him

media.tenor.com

2 9