BertJanCyber's Avatar

BertJanCyber

@bertjancyber

CSIRT | http://kqlquery.com | Microsoft Security MVP | Blue & Purple Team | SOC | SIEM | Threat Hunting | Detection Engineering | #KQL |

137
Followers 76
Following 23
Posts 02.12.2024
Joined
Posts Following

Latest posts by BertJanCyber @bertjancyber

Preview
KQL Cafe - April 2025, Tue, Apr 29, 2025, 6:00 PM | Meetup Hi Kusto Fans, Another month another [KQL Cafe](https://kqlcafe.com/#upcoming-shows) session. As usual we cover what is new in KQL and what we did with KQL in the last mont

Are you joining The KQL Cafe (@kqlcafe.bsky.social) next week? I will be talking about #KQL, Logic Apps, APIs and a combination of the three during the session.

Interested? Register here: www.meetup.com/kql-cafe/eve...

πŸ“… When: April 29 18:00 - 19:30 (CET)
πŸ–₯️ Where: Online
πŸ’° Cost: Free of charge

22.04.2025 16:09 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Hunting-Queries-Detection-Rules/Defender For Cloud Apps/OAuthAppInfo at main Β· Bert-JanP/Hunting-Queries-Detection-Rules KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

Microsoft announced the public preview of the OAuthAppInfo table in the Advanced Hunting schema. I created multiple #KQL queries to help you kick-start the usage of this table.πŸš€

The queries help you to identify high-permissive, unused and external apps.

github.com/Bert-JanP/Hu...

14.04.2025 17:25 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%20100%20-%20CScript.exe%2C%20WScript.exe%20or%20MSHTA.exe%20Executed%20from%20Web%20Browser%20Process.md

#100DaysOfKQL

Day 100 - CScript.exe, WScript.exe or MSHTA.exe Executed from Web Browser Process

IT'S FINALLY OVER! I had another query in store for today, but I feel like this challenge wouldn't be complete without that one.

(cont)

t.co/lwO1hmrqUk

13.04.2025 02:46 πŸ‘ 5 πŸ” 1 πŸ’¬ 2 πŸ“Œ 0

Pushed a #KQL that returns the top 10 SecurityEvents with the largest ingestion size. This can help determine which events you may want to aggregate or filter, depending on your detection/forensic needs.

github.com/Bert-JanP/Hu...

12.04.2025 07:58 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

It's time to prepare some content for the next
@kqlcafe.bsky.social . I will discuss #KQL, Logic Apps and hunting through the available APIs.

The session is on April 29th and is completely free to attend online.

πŸ—“οΈEvent registration & details: www.meetup.com/kql-cafe/

31.03.2025 18:06 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

On my way to #ELDK2025 πŸ‡©πŸ‡°
First stop Hamburg! πŸ‡©πŸ‡ͺ

03.03.2025 14:21 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
GitHub - Bert-JanP/Incident-Response-Powershell: PowerShell Digital Forensics & Incident Response Scripts. PowerShell Digital Forensics & Incident Response Scripts. - Bert-JanP/Incident-Response-Powershell

πŸ›‘οΈReleased DFIR PowerShell V3!

New features include:
- Granular response capabilities for Acquisition, Analysis, and Containment
- Expanded support beyond Windows, enabling Cloud response activities via Graph API

github.com/Bert-JanP/In...

27.02.2025 19:39 πŸ‘ 4 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

What EndpointCall do you use for these detections? Or do you only rely on SignInLogs for device code auth?

18.02.2025 16:52 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

I am aware, that is most often the case for the phishing flow. But this scenario focusses more on the flow of accessing management apis from unmanaged devices using device code auth.

18.02.2025 16:50 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image Post image

Pushed a #KQL for: Successful device code sign-in from an unmanaged device.

Query is available for AADSignInEventsBeta and SigninLogs. Less known is the AADSignInEventsBeta filter for device code:
| where EndpointCall == "Cmsi:Cmsi"

🏹Query: github.com/Bert-JanP/Hu...

17.02.2025 18:53 πŸ‘ 5 πŸ” 3 πŸ’¬ 2 πŸ“Œ 0
Microsoft Expanded Cloud Logs Implementation Playbook | CISA

If your company runs Exchange Online and/or Microsoft 365 have a look at CISA's latest publication: Microsoft Expanded Cloud Logs Implementation Playbook.

The report includes KQL, SPL and Powershell code to perform incident response.

www.cisa.gov/resources-to...

20.01.2025 19:08 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image Post image Post image

These two mails keep providing great value to list new actions found in a tenant. Very useful to find new detection & hunting potential, anomalies or just to understand your data better.
I will probably write a small blog about the topic soon.
Deployment: github.com/Bert-JanP/Se...

20.01.2025 16:27 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

πŸ“¬ Have you checked latest Kusto Insights by @ugurkoc.de & @bertjancyber.bsky.social

πŸ—“ December update is available now kustoinsights.substack.com/p/kusto-insi...

#KustoInsights #KustoQuery #KustoQueryLanguage #KQL #MicrosoftSecurity

12.01.2025 15:18 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

Created a #KQL hunting query to list the initial LDAPNightmare exploit (CVE-2024-49113) connection. With this, you can hunt for both successful and failed exploitation attempts 🏹

github.com/Bert-JanP/Hu...

06.01.2025 20:44 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
KQL Sources - 2025 Update What started as a single blog is now becomming a yearly trend. More and more KQL related repositories are created, not only with focus on security but also Intune, Entra and Azure Monitor related quer...

A new tradition has been born, the yearly KQL Community Sources list for 2025 has been published!

Happy hunting this year! 🏹

kqlquery.com/posts/kql-so...

02.01.2025 15:36 πŸ‘ 7 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0

That deployment pipeline is not finished yet :D

23.12.2024 20:55 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

It has been a good day. πŸ˜…

Az.SecurityInsights.internal\New-AzSentinelAlertRule : The maximum number of enabled Scheduled analytics rules (512)

learn.microsoft.com/en-us/azure/...

23.12.2024 18:38 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
IOC hunting at scale The KQL External Data operator might be the holiday gift for you! This powerful capability enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP F...

NEW BLOG! 🚨

IOC hunting at scale using externaldata().

The blog includes queries for:
- Suspicious NamedPipes
- Tor connections
- Active CISA KEV vulnerabilities
- MISP Feeds

kqlquery.com/posts/extern...

18.12.2024 15:42 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

1. github.com/Bert-JanP/Hu...
2. github.com/Bert-JanP/Hu...
3. github.com/Bert-JanP/Hu...
4. github.com/Bert-JanP/Hu...

10.12.2024 15:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
GitHub - Bert-JanP/Hunting-Queries-Detection-Rules: KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom... KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...

Latest #KQL additions:
1, Supisicous Named Piped Event
2. CISA Known Exploited Vulnerabilities Visualization
3. Large Number of Analytics Rules Deleted
4. Inbound Authentication From Public IP
Individual links in 🧡
github.com/Bert-JanP/Hu...

10.12.2024 15:35 πŸ‘ 2 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
GitHub - Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such ... This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. - Bert-JanP/Open-Sourc...

Pushed some new VPN and TOR feeds to the list.

github.com/Bert-JanP/Op...

07.12.2024 11:30 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

Anyone already seen the column ThreatClassification land in their tenant? The column will be added to the EmailEvents table.

Source: techcommunity.microsoft.com/blog/microso...

06.12.2024 17:42 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Kusto Insights - November Update Welcome to a new Monthly Update.

It is time for the monthly Kusto Insights newsletter! πŸ“°

open.substack.com/pub/kustoins...

03.12.2024 17:30 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Time to get a #KQL query from the shelve: Potential Adversary in the middle Phishing

If you have High-Risk users and axios useragents in the results please revoke some sessions.

🏹 github.com/Bert-JanP/Hu...

Query is available for both SigninLogs and AADSignInEventsBeta.

02.12.2024 17:37 πŸ‘ 6 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
a man wearing a hat and a tank top with the word hello below him ALT: a man wearing a hat and a tank top with the word hello below him
02.12.2024 17:08 πŸ‘ 9 πŸ” 0 πŸ’¬ 2 πŸ“Œ 1