Introduction: In the high-stakes arena of cybersecurity, proficiency in specialized query languages like Kusto Query Language (KQL) is rapidly becoming the differentiator between reactive defenders and proactive hunters. The recent feat of a security professional solving the complex YellowHat Capture The Flag (CTF) challenge in a mere two hours, attributed to advanced KQL training, underscores a critical shift: mastering data interrogation is paramount for threat detection, engineering, and response within modern SIEM and XDR platforms like Microsoft Sentinel.

Welcome back to KQL Toolbox 👋 Welcome back to the DevSecOpsDad KQL Toolbox series! In the last entry KQL Toolbox #2, we zoomed in on log source cost drivers—using _IsBillable and _BilledSize to identify which tables, severities, and Event IDs were burning the most money in Microsoft Sentinel. 👉 This...

Introduction: In the ever-evolving threat landscape, malware authors constantly tweak their tradecraft to evade detection. A prime example is CoffeeLoader, a malicious downloader, which employs a hardcoded User Agent string impersonating an iPhone to blend into benign network traffic. This article delves into a precise Kusto Query Language (KQL) hunting rule designed to catch this deception by correlating the suspicious User Agent with non-iOS system data, showcasing practical threat hunting in Microsoft Sentinel.

Automate OneLake shortcuts for Eventhouse with a two-step REST API approach. Complete guide with code examples and authentication details.

Introduction: A sophisticated malware campaign is disguising the notorious AsyncRAT remote access trojan within a seemingly benign "ClickFix" utility, which deliberately triggers a Blue Screen of Death (BSOD) to cover its malicious installation tracks. This dual-action attack—system disruption followed by silent, persistent backdoor access—exemplifies modern evasion techniques, making detection a critical challenge for Security Operations Centers (SOCs). This article delves into the threat hunting methodology using Kusto Query Language (KQL) to uncover this activity within Azure Sentinel, transforming raw telemetry into actionable security intelligence.

Introduction: Kusto Query Language (KQL) has cemented itself as the indispensable lingua franca for security professionals operating in Microsoft ecosystems like Microsoft 365 Defender, Sentinel, and Azure. As the threat landscape evolves, so does the collective knowledge of the KQL community. This article dives into the 2026 update of essential KQL resources, transforming raw repositories into actionable defensive tactics. Learning Objectives:

Welcome back to KQL Toolbox 👋 In the last KQL Toolbox, we zoomed out and looked at billable ingest trends over time—how many GiB per day you’re ingesting, and roughly how much that’s costing you in Microsoft Sentinel. This time, we’re zooming in. Because once you can say “We’re ingesting...

Introduction: In the world of cloud-native security, Microsoft Sentinel provides unparalleled threat visibility, but its pay-per-gigabyte ingestion model can lead to unpredictable and soaring costs. Security teams are often blindsided by monthly bills, struggling to answer the fundamental question: "What is generating this cost, and is it worth it?" Ian Hanley's inaugural "KQL Toolbox" post delivers the essential scripts and methodology to transform cost data into actionable intelligence, empowering teams to govern their SIEM spend without sacrificing security coverage.

KQL Toolbox is officially live! As part of this new KQL Toolbox series, I bring you practical, reusable KQL snippets straight from the trenches of real-world Microsoft Sentinel work. Think of it as your regular “KQL vitamin:” small dose, big impact. And today we’re kicking things off with the one...

Introduction: The modern Security Operations Center (SOC) is shifting from a reactive alert-response model to a proactive threat-hunting paradigm. This evolution is powered by tools like Microsoft Defender for Endpoint and the Kusto Query Language (KQL), which allow analysts to sift through vast telemetry data to find hidden adversaries. By leveraging frameworks like MITRE ATT&CK and writing precise KQL queries, security teams can now assume a breach and actively search for malicious tactics, techniques, and procedures (TTPs) before they escalate into full-blown incidents.

If you work with Microsoft security products, you've probably spent time writing KQL queries. You might search through documentation, look at examples on GitHub, or copy queries from colleagues. KQL-Search-MCP Server makes this easier by bringing query search and generation directly into AI assistants like Claude Desktop, GitHub Copilot, ChatGPT