Whether you are just getting started with KQL or already deep into advanced hunting, the 𝐊𝐮𝐬𝐭𝐨 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬 newsletter is a valuable resource. It curates some of the best queries and community-driven #KQL content in one place. After a bit of a break, I recently got back into building and contributing again and I am glad to see one of my queries featured as 𝐐𝐮𝐞𝐫𝐲 𝐨𝐟 𝐭𝐡𝐞 𝐌𝐨𝐧𝐭𝐡 in the latest issue. ➡️ If you are not subscribed yet, you can explore the archive here: 🔗 kustoinsights.substack.com/a… ➡️ You can also find more of my KQL queries here: 🔗 github.com/cyb3rmik3/KQL-thr… #MicrosoftCommunity #KustoQuery #KustoQueryLanguage

𝗡𝗲𝘄 𝗞𝗤𝗟 𝗾𝘂𝗲𝗿𝗶𝗲𝘀 𝗮𝘁 𝗺𝘆 𝗿𝗲𝗽𝗼 (it's been a while, huh? 😉) Having in mind that 𝗨𝘀𝗮𝗴𝗲 table in 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗲𝗻𝘁𝗶𝗻𝗲𝗹 was recently empowered with the 𝗣𝗹𝗮𝗻 column the following three KQL queries focus on understanding ingestion patterns and uncovering opportunities to optimize costs. ➡️Daily ingestion insights per table ➡️Potential savings estimation when shifting tables to Data Lake ➡️Hourly ingestion trend analysis If you’re tuning your Sentinel environment or exploring smarter data strategies, give them a look. Feedback is always welcome. 🔗 The queries: github.com/cyb3rmik3/KQL-thr… 🔗 More queries at my repo: github.com/cyb3rmik3/KQL-thr… #KQL #KustoQuery #MicrosoftSecurity #MicrosoftSentinel #AdvancedHunting

Huge kudos to @mathijsvermaat and @PKhabazi, this #KQL query is exceptional work. If you’re looking for continuous monitoring of MDE and AMA coverage across your server estate (individually or combined), this workbook is incredibly useful more importantly if you work in a regulated environment. 🔗 github.com/mathijsvermaat/De… #KustoQuery #KustoQueryLanguage #MicrosoftSentinel #MicrosoftDefender

If you have worked with the make-graph operator, you know the struggle for building a well-defined query for bringing together nodes and edges. Well, that's history. Lift_To_Graph() and Graph_Render_View() can do the heavy work now. The era of shifting to relationships instead of tables is already here. #kql #kustoquery

𝗙𝗶𝗹𝗲𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀𝗖𝗼𝗻𝘁𝗲𝗻𝘁𝗜𝗻𝗳𝗼 is a newly introduced 🔍 #AdvancedHunting table for 🛡️ Microsoft Defender for Office 365, currently available in 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗲𝘃𝗶𝗲𝘄. This table provides detailed visibility into files processed by Microsoft Defender for Office 365 across SharePoint Online, OneDrive, and Microsoft Teams, making it a strong foundation for 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴 and 𝘁𝗵𝗿𝗲𝗮𝘁 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 correlation. 🔗 More info: learn.microsoft.com/en-us/de… #MicrosoftSecurity #MicrosoftDefender #DefenderXDR #KQL #KustoQuery

💡There is an interesting development rolling out next month in 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 to be aware of: Boolean field values will no longer return 𝟭 𝗮𝗻𝗱 𝟬 in results, something that might be causing semantic ambiguity. Instead, they will be replaced by the textual 𝐓𝐫𝐮𝐞 𝐚𝐧𝐝 𝐅𝐚𝐥𝐬𝐞 which will provide a human-first touch with clarity and readability. 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀? While queries and detection rules won't be affected, in case you have scripts and automations that rely upon parsing these values, then you need to start working on updating them. 🔗 More info: learn.microsoft.com/en-us/de… #KQL #KustoQuery #AdvancedHunting

I had these stickers ready in time for #KustoCon, too bad I didn't have the chance to give them out. Maybe next year 🫡 In the meantime, if we meet somewhere, don't hesitate to ask for them 😎 #KQL #KustoQuery #AdvancedHunting

While everything was set since even before summer, unfortunately I won't be able to join an elite team of KQL professionals in 3 days for #KustoCon. My place in the schedule, will be filled by a fellow MVP and community member, @ThomasVrhydn who will elaborate Proactive XSPM hunting, pretty close to what I was preparing as well. Only 3 days left! 🔗 kustocon.com/ #KQL #KustoQuery #MicrosoftCommunity #MicrosoftSecurity

🔍 Ready to take your KQL skills to the next level? Advanced Must Learn KQL breaks down complex queries into simple, actionable steps. Perfect for data analysts and engineers! Get your copy today. 💻 🔗 amzn.to/3VDrEFs #KustoQuery #DataEngineering #TechLearning #MustLearnKQL #KQL

🔍 Ready to take your KQL skills to the next level? Advanced Must Learn KQL breaks down complex queries into simple, actionable steps. Perfect for data analysts and engineers! Get your copy today. 💻 🔗 amzn.to/3VDrEFs #KustoQuery #DataEngineering #TechLearning #MustLearnKQL #KQL

🔍 Ready to take your KQL skills to the next level? Advanced Must Learn KQL breaks down complex queries into simple, actionable steps. Perfect for data analysts and engineers! Get your copy today. 💻 🔗 amzn.to/3VDrEFs #KustoQuery #DataEngineering #TechLearning #MustLearnKQL #KQL

📢 New blog post 📢 𝐊𝐞𝐞𝐩𝐢𝐧𝐠 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐰𝐡𝐞𝐧 𝐫𝐮𝐧𝐧𝐢𝐧𝐠 𝐪𝐮𝐞𝐫𝐢𝐞𝐬: 𝐡𝐨𝐰 𝐭𝐨 𝐨𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐞 𝐲𝐨𝐮𝐫 𝐊𝐐𝐋 𝐫𝐞𝐬𝐮𝐥𝐭𝐬 Sharing your screen with results on a call and removing a column from your project operator seems too easy? Well, using #KQL there are plenty of ways to mask and obfuscate values. This blog elaborates various operators including 𝘩𝘢𝘴𝘩() and others in order to achieve: ➡️ Simple hashing ➡️ Partial masking ➡️ Randomized obfuscation ➡️ Masking a specific portion As always, some KQL examples are included. 🔗 Blog post: michalos.net/2025/09/19/keep… #MicrosoftSecurity #MicrosoftSentinel #DefenderXDR #KustoQuery #KustoQueryLanguage

Here's your Microsoft Defender weekend reads: 📰 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐗𝐃𝐑 𝐒𝐞𝐩𝐭𝐞𝐦𝐛𝐞𝐫 𝐌𝐨𝐧𝐭𝐡𝐥𝐲 𝐍𝐞𝐰𝐬 came with some awesome new features including: 💡 Detection rules now can be found in place, whether detection rules or analytics rules and there are also further options to filter and configure. 💡 Incidents and alerts now can be filtered based on sensitivity labels, hence allowing better prioritization in triaging incoming alerts. 💡 Defender for Identity has received a boost in features, identifying inactive service accounts, Identity scoping and more. 🔗 techcommunity.microsoft.com/… 📰 Also, don't forget 𝐊𝐮𝐬𝐭𝐨 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬 by @UgurKocDe and @BertJanCyber, some cool blogs and new queries from the community are included in September's update. 🔗 kustoinsights.substack.com/p… #Microsoft #MicrosoftDefender #MicrosoftSecurity #DefenderXDR #Kusto #KQL #KustoInsights #KustoQueryLanguage #KustoQuery

🏹 𝐍𝐞𝐰 #𝐊𝐐𝐋 𝐪𝐮𝐞𝐫𝐲! ➡️ 𝐅𝐞𝐭𝐜𝐡 𝐝𝐲𝐧𝐚𝐦𝐢𝐜 𝐚𝐧𝐝 𝐦𝐚𝐧𝐮𝐚𝐥 𝐭𝐚𝐠𝐬 𝐟𝐨𝐫 𝐚𝐜𝐭𝐢𝐯𝐞 𝐝𝐞𝐯𝐢𝐜𝐞𝐬 🔗 github.com/cyb3rmik3/KQL-thr… 💡 This query takes into account the 𝐃𝐞𝐯𝐢𝐜𝐞𝐈𝐧𝐟𝐨 table and will provide the devices based on OSPlatform value (Windows10, Windows11 etc) and what you consider as an inactive device (last seen 7 days for example) and will identify for each device its tags, whether dynamic or manual. 😊 Hey, if you enjoyed this query please consider landing a ⭐ at my KQL repo: 🔗 github.com/cyb3rmik3/KQL-thr… #MicrosoftSecurity #KustoQuery #KustoQueryLanguage #MicrosoftSentinel #MicrosoftDefender #MicrosoftDefenderXDR

❗ There's been some key updates with regards to 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐓𝐡𝐫𝐞𝐚𝐭 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 tables: ➡️ The transition from the legacy 𝐓𝐡𝐫𝐞𝐚𝐭𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞𝐈𝐧𝐝𝐢𝐜𝐚𝐭𝐨𝐫 table to 𝐓𝐡𝐫𝐞𝐚𝐭𝐈𝐧𝐭𝐞𝐥𝐈𝐧𝐝𝐢𝐜𝐚𝐭𝐨𝐫𝐬 and 𝐓𝐡𝐫𝐞𝐚𝐭𝐈𝐧𝐭𝐞𝐥𝐎𝐛𝐣𝐞𝐜𝐭𝐬 is extended to 31 August 2025. ➡️ No new data will be ingested into the legacy table after that date, and all custom content must reference the new tables. ➡️ Dual ingestion is available 𝐛𝐲 𝐫𝐞𝐪𝐮𝐞𝐬𝐭 until the final retirement on 31 May 2026. Make your plans, and look into your analytics accordingly. 🔗 More info: techcommunity.microsoft.com/… #MicrosoftSecurity #MicrosoftDefender #ThreatIntelligence #ThreatIntel #KQL #KustoQuery

𝐇𝐚𝐯𝐞 𝐲𝐨𝐮 𝐬𝐚𝐯𝐞𝐝 𝐲𝐨𝐮𝐫 𝐬𝐩𝐨𝐭 𝐟𝐨𝐫 𝐊𝐮𝐬𝐭𝐨𝐂𝐨𝐧? 🧐 If not, there’s still time! Join us in person in Zurich on November 6th, a limited amount of spots are still available! Don’t miss this chance to connect with great people, attend an engaging workshop, and dive into discussions on Microsoft Security and KQL. You can still join online, if you can't make it in person. 🔗 More information: kustocon.com/ The great people: @cosh23, @olafhartong, @UgurKocDe, @BertJanCyber, @MattiasBorg82, @stefanschorling, @alexverboon, @castello_johnny, @oudendorp and me 😏. #MicrosoftSecurity #AdvancedHunting #KustoCon #KustoQuery #KustoQueryLanguage

📢 New blog post 📢 𝐁𝐫𝐞𝐚𝐤𝐢𝐧𝐠 𝐝𝐨𝐰𝐧 𝐭𝐡𝐞 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐄𝐱𝐭𝐞𝐫𝐧𝐚𝐥 𝐀𝐭𝐭𝐚𝐜𝐤 𝐒𝐮𝐫𝐟𝐚𝐜𝐞 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐨𝐩𝐩𝐨𝐫𝐭𝐮𝐧𝐢𝐭𝐢𝐞𝐬 𝐟𝐨𝐫 𝐪𝐮𝐞𝐫𝐢𝐞𝐬 𝐢𝐧 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 & 𝐋𝐨𝐠 𝐀𝐧𝐚𝐥𝐲𝐭𝐢𝐜𝐬 𝐖𝐨𝐫𝐤𝐬𝐩𝐚𝐜𝐞 Last before summer vacation, in this blog post I elaborate the opportunities available to run queries over MDEASM data in Log Analytics Workspace and, the very recently introduced capacity in Advanced Hunting, with the help of Exposure Management initiatives. As always, #KQL queries also included :) 🔗 Blog post: michalos.net/2025/07/31/brea… #MicrosoftSecurity #MicrosoftSentinel #DefenderXDR #KustoQuery #KustoQueryLanguage #EASM #MDEASM #ExposureManagement #XSPM

That's me after owning the make-graph operator and building my first #KQL query for Exposure Management in Advanced Hunting. More, coming soon. #KustoQuery

I had the privilege yesterday to join the 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝟑𝟔𝟓 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 & 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐔𝐬𝐞𝐫 𝐆𝐫𝐨𝐮𝐩 (meetup.com/m365sandcug/) curated by @rucam365 , @WillTheFrenchie & @WelkasWorld and present: "𝙎𝙝𝙚𝙙𝙙𝙞𝙣𝙜 𝙡𝙞𝙜𝙝𝙩 𝙩𝙤 𝙪𝙣𝙘𝙤𝙫𝙚𝙧𝙚𝙙 𝙫𝙪𝙡𝙣𝙚𝙧𝙖𝙗𝙞𝙡𝙞𝙩𝙞𝙚𝙨 𝙬𝙞𝙩𝙝 𝙩𝙝𝙚 𝘿𝙚𝙛𝙚𝙣𝙙𝙚𝙧 𝙑𝙪𝙡𝙣𝙚𝙧𝙖𝙗𝙞𝙡𝙞𝙩𝙮 𝙈𝙖𝙣𝙖𝙜𝙚𝙢𝙚𝙣𝙩 𝙖𝙙𝙙-𝙤𝙣" where I elaborated the benefits of using the premium capabilities of MDVM including Browser Extensions, Digital Certificates, Network Shares and Hardware & Firmware. If you missed it, check below: ➡️ The slides (github.com/cyb3rmik3/present…) ➡️ First part of my blog elaborating MDVM add-on (michalos.net/2024/10/20/micr…) ➡️ Second part of my blog elaborating MDVM add-on (michalos.net/2024/12/04/micr…) ➡️ Some #KQL queries for MDVM (github.com/cyb3rmik3/KQL-thr…) #MicrosoftSecurity #MicrosoftDefender #DefenderXDR #VulnerabilityManagement #KustoQuery #KustoQueryLanguage

📢 New blog post 📢 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐭𝐫𝐞𝐧𝐜𝐡𝐞𝐬: 𝐛𝐮𝐢𝐥𝐝𝐢𝐧𝐠 𝐚𝐮𝐝𝐢𝐭 𝐜𝐚𝐩𝐚𝐜𝐢𝐭𝐲 𝐟𝐨𝐫 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐒𝐞𝐧𝐭𝐢𝐧𝐞𝐥 & 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐗𝐃𝐑 Compliance isn't just a checkbox, it’s the foundation of trust and operational integrity in modern security, hence it is important to ensure audit and regulatory readiness. Insights include: ➡️ Proper RBAC development ➡️ Protecting the Log Analytics Workspace ➡️ Monitoring for tampering behavior ➡️ Looking into Defender’s Audit As always, #KQL queries also included :) 🔗 Blog post: michalos.net/2025/06/20/insi… 💡 PS: It's been a few weeks since I changed michalos.net theme, do you like it? #MicrosoftSecurity #MicrosoftSentinel #DefenderXDR #KustoQuery #KustoQueryLanguage #Audit #Compliance