KQL Cafe - Month Year

Recording

• Recording

Hosts

• Gianni
• Alex

Guests

• Yoan Schinck

KQL News

Microsoft Vulnerable Driver Block Lists

Mehmet Ergene | @Cyb3rMonk | Blue Raven Academy

Microsoft no longer provides the vulnerable driver block list in a browsable web page; instead, the list is only available as a downloadable ZIP file.

• Source
• Microsoft Recommended Driver Block List

This project automates the process of downloading the latest VulnerableDriverBlockList ZIP file, extracting and parsing the SiPolicy_Enforced.xml file, and transforming the data into CSV and JSON formats for easy integration with SIEM and other security tools.

Azure Detection Rules (Azure Arc / VM)

Robbe Van den Daele

• Source

Must Learn KQL: Advanced Edition

Rod Trent

• Source

Hunt for threats using the hunting graph

Microsoft

The hunting graph provides visualization capabilities in advanced hunting by rendering threat scenarios as interactive graphs. This feature allows security operations center (SOC) analysts, threat hunters, and security researchers conduct threat hunting and incident response easily and more intuitively, improving their efficiency and ability to assess possible security issues.

• Hunt for threats using the hunting graph (Preview)

PowerShell | Kusto Schema Tools

Laurie Rhodes (Will join us in the KQL Café Session in March 2026)

A collection of PowerShell based Kusto Schema Tools with the community. The tools are written to managing data interchange between Azure Data Explorer (ADX), EventHouse and Microsoft Sentinel.

• PowerShell Kusto Schema Tools

DisruptionAndResponseEvents (Preview)

Microsoft

• DisruptionAndResponseEvents (Preview)

CloudStorageAggregatedEvents (Preview)

Microsoft

• CloudStorageAggregatedEvents (Preview)
• What's new in Defender for Cloud features

The new CloudStorageAggregatedEvents table is now available in Microsoft Defender XDR’s Advanced Hunting experience. It brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. The aggregation reduces noise, improves performance, and provides a high-level view of storage access patterns to support more effective threat detection and investigation.

This advanced hunting table is populated by records from Microsoft Defender for Cloud. If your organization doesn't have Microsoft Defender for Cloud, queries that use the table aren’t going to work or return any results.

UserActivityByRevokedTokens Function

Thomas Naunheim

• UserActivityByRevokedTokens.func

Guest

• Yoan Schinck
• SecurityAura GitHub

Learn KQL

Convert timestamps in KQL

let Times = datatable(Description:string, String:string)[
    "ISO 8601 (basic)", "20251025T180000Z",
    "ISO 8601 (extended, Z)", "2025-10-25T18:00:00Z",
    "ISO 8601 (extended, +00:00)", "2025-10-25T18:00:00+00:00",
    "ISO 8601 (basic + ms)", "20251025T180000.000Z",
    "ISO 8601 (extended + ms)", "2025-10-25T18:00:00.000Z",
    "RFC 1123 / HTTP-date (GMT)", "Sat, 25 Oct 2025 18:00:00 GMT",
    "RFC 5322 (email, numeric offset)", "Sat, 25 Oct 2025 18:00:00 +0000",
    "RFC 850 (obsolete HTTP-date)", "Saturday, 25-Oct-25 18:00:00 GMT",
    "RFC 822 (2-digit year, GMT)", "Sat, 25 Oct 25 18:00:00 GMT",
    "HTTP-date (RFC 7231)", "Sat, 25 Oct 2025 18:00:00 GMT",
    "POSIX ctime()/asctime()", "Sat Oct 25 18:00:00 2025",
    "Apache/Nginx log", "[25/Oct/2025:18:00:00 +0000]",
    ".NET round-trip (O)", "2025-10-25T18:00:00.0000000Z",
    "Sortable (s)", "2025-10-25T18:00:00",
    "Universal sortable (u)", "2025-10-25 18:00:00Z",
    "Unix epoch (seconds)", "1761415200",
    "Unix epoch (milliseconds)", "1761415200000",
    "Unix epoch (microseconds)", "1761415200000000",
    "Unix epoch (nanoseconds)", "1761415200000000000",
    "Windows FILETIME (100-ns since 1601-01-01)", "134058888000000000",
    "Cisco Syslog", "10/25/2025, 6:00:00.000 PM",
];
Times
| extend Test1 = todatetime(String)
| extend Test1Match = case(Test1 == todatetime("20251025180000"),true,false)
| where Test1Match == false 

let Times = datatable(Description:string, String:real)[
    "Unix epoch (milliseconds)", "1761415200000",
    "Unix epoch (microseconds)", "1761415200000000",
    "Unix epoch (nanoseconds)", "1761415200000000000",
];
Times
| extend UnixMilliseconds = unixtime_milliseconds_todatetime(String)
| extend UnixMicroseconds = unixtime_microseconds_todatetime(String)
| extend UnixNanoseconds = unixtime_nanoseconds_todatetime(String)
| extend Test2 = coalesce(UnixMilliseconds, UnixMicroseconds, UnixNanoseconds)
| extend Test2Match = case(Test2 == todatetime("20251025180000"),true,false)

let Times = datatable(Description:string, String:string)[
    "Cisco Syslog", "10/25/2025, 6:00:00.000 PM",
];
Times
| extend Test3 = todatetime(replace_string(String, ", ", " "))
| extend Test3Match = case(Test3 == todatetime("20251025180000"),true,false)

let Times = datatable(Description:string, String:string)[
    "Apache/Nginx log", "[25/Oct/2025:18:00:00 +0000]"
];
Times
| parse String with "[" Day:string "/" Mon:string "/" Year:string ":" HMS:string " " Offset:string "]"
| extend Test4 = todatetime(strcat(Day, " ", Mon, " ", Year, " ", HMS, " ", Offset))

let Times = datatable(Description:string, String:string)[
"Apache/Nginx log", "[25/Oct/2025:18:00:00 +0000]"
];
Times
| extend Test5 = todatetime(replace_regex(
    String,
    @"^\[(\d{2})/([A-Za-z]{3})/(\d{4}):(\d{2}:\d{2}:\d{2}) ([+\-]\d{4})\]$",
    @"\1 \2 \3 \4 \5"
  ))

What did you do with KQL this month?

Entra ID - Microsoft Entra Connect Sync Audit Events

Alex Verboon

• Entra ID - Microsoft Entra Connect Sync Audit Events
• Collect Microsoft Entra Connect Sync Audit Events