Skip to content

KQL Cafe - August 2024

Recording and Presentation

Hosts

Guests

News

KQL Simple Mode in Log Analytics

Here's some instuctions if you wnat to change the default behaviour for KQL simple mode in log analytics.

kqlsimplemode1 kqlsimplemode1 kqlsimplemode1

Detect compromised RDP sessions with Microsoft Defender for Endpoint

Note:

  • Additional properties not yet synched to Sentinel
  • Potential additional data volume when storing in Sentinel

Hunting for Copilot Activities

Use this query to hunt for Copilot activities

CloudAppEvents
| where ActionType == @"CopilotInteraction“

Identify outdated devices through SignIn Logs

Hunt for outdated devices using the Entra ID signin logs

union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs| where ResultType != 0 and ResultDescription == "Other"| where ResultType == "500061"| distinct Category, Identity

Steven Lim’s aweseome KQL queries are now available on GitHub and KQLSearch.com

Microsoft Sentinel - Summary Rules

Check out this new feature in Microsoft Sentinel

Summary Rules

Guest Speaker Truvis Thornton

Truvis talked about using AuditD with Microsoft Sentinel

What did you do with KQL this month?

Gianni talked about how to detect OneDrive activities using the Microsoft Grpah Activitylogs

kql MicrosoftGraphActivityLogs | where RequestUri endswith "/content" or RequestUri contains "/content?format=" | where ResponseStatusCode == 200 | where RequestMethod == "GET" | where RequestUri matches regex @"https://graph.microsoft.com/(beta|v1.0)/(drives|groups|shares|me|sites|users|drive)/"kql