KQL Cafe - August 2024
Recording and Presentation
Hosts
Guests
News
KQL Simple Mode in Log Analytics
Here's some instuctions if you wnat to change the default behaviour for KQL simple mode in log analytics.
Detect compromised RDP sessions with Microsoft Defender for Endpoint
Note:
- Additional properties not yet synched to Sentinel
- Potential additional data volume when storing in Sentinel
Hunting for Copilot Activities
Use this query to hunt for Copilot activities
Identify outdated devices through SignIn Logs
Hunt for outdated devices using the Entra ID signin logs
union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs| where ResultType != 0 and ResultDescription == "Other"| where ResultType == "500061"| distinct Category, Identity
Steven Lim’s aweseome KQL queries are now available on GitHub and KQLSearch.com
Microsoft Sentinel - Summary Rules
Check out this new feature in Microsoft Sentinel
- Aggregate data in a Log Analytics workspace by using summary rules (Preview)
- Aggregate Microsoft Sentinel data with summary rules (preview)
Guest Speaker Truvis Thornton
Truvis talked about using AuditD with Microsoft Sentinel
What did you do with KQL this month?
Gianni talked about how to detect OneDrive activities using the Microsoft Grpah Activitylogs
kql
MicrosoftGraphActivityLogs
| where RequestUri endswith "/content" or RequestUri contains "/content?format="
| where ResponseStatusCode == 200
| where RequestMethod == "GET"
| where RequestUri matches regex
@"https://graph.microsoft.com/(beta|v1.0)/(drives|groups|shares|me|sites|users|drive)/"
kql