KQL Lesson 3: Brute Force Detection - Pipeline Order SecurityEvent | where EventID == 4622 // 1. Filter failed logins first | summarize Attempts = count() by TargetUserName, IpAddress // 2. Group count | where Attempts > 50 // 3. Filter attack patterns | order by Attempts desc // 4. Worst attacker first | top 10 // 5. Limit output Filter → Group → Filter → Sort → Limit. This order is what SOC analysts use to avoid crashing the SIEM. #JoesamSOCLearns #KQL #SOCAnalyst #100DaysOfCybersecurity #BlueTeam #Datadog

KQL Lesson 1: Finding Attacks in Noise Most people see 10,000 alerts and panic. SOC Analysts see patterns. Query: SecurityEvent | where EventID == 4625 This finds failed logins = brute force attacks. Google Certified SOC Analyst. Teaching 1 concept daily. #KQL #LearnCyberSecurity #SOCAnalyst

Learning KQL and built a detection for suspicious PowerShell spawned from Excel and encoded command usage. Since “lsass” appeared in the command line, I correlated SecurityEvent logs to check for possible lateral movement activity. #CyberSecurity #KQL

📍 𝐂𝐨𝐦𝐞 𝐟𝐢𝐧𝐝 𝐀𝐒𝐈𝐒 𝐔𝐊 𝐚𝐭 𝐭𝐡𝐞 𝐍𝐄𝐂 𝐁𝐢𝐫𝐦𝐢𝐧𝐠𝐡𝐚𝐦 🇬🇧, 𝐬𝐭𝐚𝐧𝐝 𝟓/𝐆𝟏𝟑𝟎 Date: 28-30 April 2026 Join us at @SecurityEventUK for insights, panels & connections. ✔️ CV Workshop ✔️ Panels with Farah Benis, Tim Molden, Simon Crane & Sarah Austerberry ✔️ Tech session led by Kieran Byrne (Axis Communications) Genetec & Salto ✔️ Insights from Daniel Frith (Axon) Drop by, connect & get involved. @SyInstitute @axon_enterprise @assocsecurity @AxisIPVideo @SecurityEventUK @ASIS_Intl #TSE2026 #SecurityEvent #EventSecurity #ASISInternational

THEY OWN IT ALL - SECURITY COMPANIES Here's a comprehensive list of 100 security companies in Canada, including various types of services OWNED by Indians: COMPANY NAMETYPE OF SECURITY SERVICEOWNED BY 1. SecureTechSecurity SystemsIndian-owned 2. Alpha Security ServicesPrivate SecurityIndian franchise ownership 3. Shield SecuritySurveillance and PatrolOwned by Indian entrepreneurs 4. Guardian SecurityAlarm Systems and MonitoringIndian-owned 5. Sentinel Security GroupPrivate Security and ConsultingIndian franchisee ownership 6. SafeGuard SecurityMobile Patrol and MonitoringOwned by Indian-owned 7. Titan SecuritySecurity Guards and PatrolsIndian franchise ownership 8. Proactive SecurityEvent Security and ConsultingOwned by Indian entrepreneurs 9. Evergreen SecurityResidential and Commercial SecurityIndian-owned 10. Cobalt SecurityIntegrated Security SolutionsIndian franchisee ownership 11. Shield Security SystemsAlarm Systems and MonitoringOwned by Indian entrepreneurs 12. Blackwatch SecuritySecurity GuardsIndian-owned 13. FireShield SecurityFire and Security SystemsOwned by Indian franchisees 14. Fortress SecurityMobile PatrolIndian-owned 15. Optimal SecurityCybersecurity SolutionsOwned by Indian entrepreneurs 16. Titan Force SecurityExecutive ProtectionIndian franchise ownership 17. Vigilant Security24/7 MonitoringOwned by Indian-owned 18. Arcane SecurityPhysical Security SolutionsIndian franchisee ownership 19. SecureNationHome Security and AutomationOwned by Indian entrepreneurs 20. Apex SecurityPersonal and Event SecurityIndian-owned 21. Elite Security ServicesCorporate SecurityIndian-owned 22. Metro SecurityMobile and Static GuardingOwned by Indian entrepreneurs 23. Crown Security GroupSecurity ManagementIndian franchise ownership 24. Capital SecurityEvent and Personal SecurityIndian-owned 25. Golden ProtectorsFire Watch and SecurityOwned by Indian franchisees 26. Tundra SecurityPatrol ServicesIndian-owned 27. Silver Shield SecurityCommercial SecurityIndian franchise ownership 28. Urban GuardManned Guard ServicesOwned by Indian entrepreneurs 29. Big Red SecurityPersonal ProtectionIndian-owned 30. Phoenix Security ServicesCustomized Security SolutionsIndian franchisee ownership 31. Guardian Angel SecurityHome and Office SecurityOwned by Indian entrepreneurs 32. OnGuard SecurityIntegrated Security SolutionsIndian-owned 33. Sentinel ProtectionSecurity PatrolsOwned by Indian franchisees 34. Unity Security ServicesSecurity and Risk ManagementIndian-owned 35. Watchdog SecuritySecurity Systems InstallationIndian franchise ownership 36. Secure OneAlarm MonitoringOwned by Indian entrepreneurs 37. Pure Security SolutionsCybersecurity & SurveillanceIndian-owned 38. Apex Protective ServicesPersonal SecurityOwned by Indian franchisees 39. Armored Transport CorporationArmored TransportIndian-owned 40. Nighthawk SecurityPatrol and Guard ServicesIndian franchise ownership 41. 3D SecuritySurveillance & MonitoringOwned by Indian entrepreneurs 42. Fortis SecuritySecurity Guards and PatrolsIndian-owned 43. CityWatch SecurityUrban SurveillanceOwned by Indian franchisees 44. Absolute Security ServicesComprehensive Security SolutionsIndian-owned 45. Barricade SecurityEvent SecurityIndian franchise ownership 46. Cactus SecurityManned SecurityOwned by Indian entrepreneurs 47. Fortified Security GroupExecutive ProtectionIndian-owned 48. Broadshield SecurityMobile PatrolsOwned by Indian franchise Here’s the continuation with the next 50 security companies in Canada, covering various types of security services: COMPANY NAMETYPE OF SECURITY SERVICEOWNED BY 49. Alert Security ServicesResidential and Commercial SecurityIndian-owned 50. Unbreakable SecurityPhysical Security SolutionsOwned by Indian entrepreneurs 51. Vision SecurityManned SecurityIndian franchise ownership 52. SafeNet SecurityCybersecurity SolutionsOwned by Indian entrepreneurs 53. Protector SecurityPhysical and Cyber SecurityIndian-owned 54. Advanced Security SystemsAlarm Installation and MonitoringIndian franchisee ownership 55. Stronghold SecurityPersonal ProtectionOwned by Indian franchisees 56. Castle SecurityGuard ServicesIndian-owned 57. Apex SurveillanceVideo MonitoringOwned by Indian entrepreneurs 58. Dominion SecurityEvent SecurityIndian-owned 59. Fortress ProtectionCorporate and Private SecurityOwned by Indian franchisees 60. First Response SecurityEmergency Security ServicesIndian-owned 61. North Star ProtectionPatrol and Guard ServicesIndian franchise ownership 62. Platinum Security SolutionsIntegrated Security SolutionsOwned by Indian entrepreneurs 63. Shield of HonorSecurity PatrolsIndian-owned 64. Vantage SecurityMobile Patrol and MonitoringIndian franchisee ownership 65. Security DynamicsRisk Management ServicesOwned by Indian entrepreneurs 66. Guardian Security ExpertsComprehensive Security SolutionsIndian-owned 67. Trident SecurityPersonal and event securityOwned by Indian franchisees 68. Alpine SecurityManned Guard ServicesIndian-owned 69. Secure ProConsulting and InstallationOwned by Indian entrepreneurs 70. Jet Security ServicesPhysical SecurityIndian franchise ownership 71. Tactical Security SolutionsSecurity and InvestigationsOwned by Indian-owned 72. Bullseye SecurityCorporate SecurityIndian franchisee ownership 73. Expert Security ServicesPhysical and Event SecurityOwned by Indian entrepreneurs 74. Roots SecurityHome SecurityIndian-owned 75. Unseen ThreatCybersecurity and SurveillanceIndian franchise ownership 76. Secure Guard ServicesManned Security and PatrolOwned by Indian franchisees 77. Sentry Protection ServicesPersonal and Corporate SecurityIndian-owned 78. Vigil Security SolutionsIntegrated Security SolutionsOwned by Indian entrepreneurs 79. ShieldGuardAlarm and Monitoring ServicesIndian franchise ownership 80. Hawk SecuritySurveillance ServicesOwned by Indian entrepreneurs 81. Safe Haven SecurityEvent ProtectionIndian-owned 82. Ironclad SecurityResidential and Commercial SecurityOwned by Indian franchisees 83. Element SecurityRisk Assessment ServicesIndian-owned 84. Peacekeeper SecurityPersonal ProtectionOwned by Indian entrepreneurs 85. Red Shield SecurityPatrol and Response ServicesIndian franchise ownership 86. Apex Guard ServicesMobile PatrolOwned by Indian franchisees 87. Security Solutions GroupComprehensive Security ConsultingIndian-owned 88. Fortress IntelligenceInvestigative ServicesOwned by Indian-owned 89. Titan SurveillanceMonitoring and SurveillanceIndian franchise ownership 90. Unity WatchSecurity ServicesOwned by Indian entrepreneurs 91. Vanguard Protection ServicesExecutive and Corporate SecurityIndian-owned 92. Komodo SecurityPersonalized Security SolutionsOwned by Indian franchisees 93. Trusafe SecurityEvent and Venue ProtectionIndian-owned 94. Absolute GuardPersonal and Business SecurityOwned by Indian entrepreneurs 95. Shield ApproachComprehensive Security SolutionsIndian franchise ownership 96. Nova Security ServicesDigital SecurityOwned by Indian franchisees **97. Apex Vigil

🛡️ SIEM Log Correlation & Detection Eng (SOC Analyst Focus) **Core Concept** - SIEM ingests logs from FW, EPs, servers, PAM (e.g., CyberArk), and cloud services. - Correlation rules detect suspicious patterns across logs. - Analysts tune rules to cut FPs while catching real threats. **Data Sources** - Auth Logs: Win Event IDs (4624/4625/4672), Linux auth.log. - Net Logs: FW denies, IDS/IPS alerts, NetFlow. - Priv Access Logs: CyberArk vault access, sess recordings, cred checkouts. - Cloud Telemetry: AWS CloudTrail, Azure AD sign-ins, GCP audit logs. **Correlation Techniques** - Rule-based: e.g., 5 failed logins (4625) → successful (4624) from same IP = brute force success. - Temporal: Link events in a time window (e.g., priv esc <10 min after login). - Cross-source: VPN login foreign country PAM cred checkout unusual outbound traffic = insider threat. - Behavioural: Compare vs historical baseline (e.g., normal UK login → sudden Russia). **Detection Engineering **: SOC analysts write detection logic in query languages. See few examples below: - Splunk SPL: ```spl index=wineventlog EventCode=4625 OR 4624 | stats count by Account_Name, src_ip | where count > 5 ``` - Azure Sentinel KQL: ```kql SecurityEvent | where EventID in (4624, 4625) | summarize Count=count() by Account, IPAddress, bin(TimeGenerated, 10m) | where Count > 5 ``` **Challenges** - FPs: Broad rules create noise. - Data Norm: Standardise varied log formats. - Scalability: Efficient indexing for billions of EPS. - Enrichment: Add TI feeds, geoIP, and asset criticality to logs. **SOC Analyst Workflow** 1. Alert fires from the SIEM rule. 2. Triage: Check user/device/time/geo context. 3. Deep dive: Pivot to related logs (EP, PAM, FW). 4. Map to MITRE ATT&CK (e.g., T1078 Valid Accounts). 5. Respond: Escalate IR, isolate host, revoke creds. 6. Feedback: Tune the rule for better accuracy. **Real-World Ex (PAM Integration)** - CyberArk logs: Privileged credentials checkout at 2 AM. - SIEM correlates w/ VPN login foreign IP large outbound transfer. - Investigation → compromised priv acct. - Containment: Disable acct, revoke vault access, block IP. #SOC_Analysts #ThreatHunting #IncidentResponse #SecurityAnalysts #BlueTeam #DigitalForensics #CyberSecurity #NetworkSecurity #MalwareAnalysis #SOC

Join the community that’s redefining cybersecurity — learn, hack, and protect the future together. 🔐 #BSidesDehradun #CyberSecurity #HackTheFuture #InfoSecCommunity #CTF #TechConference #EthicalHacking #SecurityEvent

SecurityEvent | where TimeGenerated > ago(90d) | where EventID == 4624 and LogonType == 10 | where not (dayofweek(TimeGenerated) between (1d .. 5d) and hourofday(TimeGenerated) between (8 .. 18)) | where Computer !contains "REDACTED" //exclude global RDSH servers | project TimeGenerated, Computer, Account, IpAddress, LogonProcessName, WorkstationName, LogonTypeName | order by TimeGenerated desc so let's tune that for working hours great! now we can use this as the basis for an alert if we feel it's appropriate. Clearly you may need to add way more business logic in here, it's just an example!

so let's try this! SecurityEvent | where TimeGenerated > ago(90d) | where EventID == 4624 and LogonType == 10 | where not (dayofweek(TimeGenerated) between (1d .. 5d) and hourofday(TimeGenerated) between (9 .. 17)) | where Computer !contains "REDACTED" //exclude global RDSH servers | project TimeGenerated, Computer, Account, IpAddress, LogonProcessName, WorkstationName, LogonTypeName | order by TimeGenerated desc

Apapun eventnya pastikan berjalan aman dan lancar, Cukup Klik aplikasi Tnos. Donload Aplikasi Tnos di Play Store play.google.com/store/apps/d… atau di App Store apps.apple.com/us/app/tnos/i… Perlu bantuan atau informasi lengkap hubung kami di 0811-9595-493 (WA) #LetsWork #eventsecurity #tnosapp #guardevent #eventprotecting #eventrisk #eventorganizer #promotormusik #pengamananevent #securityevent

Pentas Seni Papua di Surabaya Ricuh, Mahasiswa Bubarkan Acara Secara Paksa Pentas seni juga perlu perencanaan yang baik termasuk untuk pengamanannya Apapun acaranya pastikan berjalan aman dan lancar. Ukur risiko keamanan acara anda, lalu tentukan pengamanannya dan pesan lewat aplikasi Tnos. Donload Aplikasi Tnos di Play Store play.google.com/store/apps/d…… atau di App Store apps.apple.com/sa/app/tnos/i…… Perlu bantuan atau informasi lengkap hubung kami di 0811-9595-493 (WA) #LetsWork #Innovative #eventsecurity #tnosapp #guardevent #eventprotecting #eventrisk #eventorganizer #promotormusik #bodyguard #pengamananevent #securityevent #pentasseni

📣 We’re heading to MLA EXPO25 – Join us from October 17–19, 2025 at the Telford International Centre. Come visit us at Stand H2.56. 🎟️ Get your FREE ticket here: locksmiths.yarringtonevents.… #MLAEXPO25 #LocksmithExpo #SecurityEvent #IndustryEvent #TelfordEvents

#securityevent #networkexploitation #acs #livesession

In relation to access Admin Share, we use a generic detection rule, that will catch more widely. You can exclude specific service account etc. SecurityEvent | where AccountType == "User" | where EventID == 5140 | where ShareName has "ADMIN$"

Ingat! Deretan Konser Besar Ini Sudah Menunggu Bulan Depan detik.com/pop/music/d-772191…. Pastikan Eventmu sukses, siapkan segala sesuatunya termasuk pengamanannya. Klik Aplikasi Tnos. Gunakan pengamanan dari Tnos App, bayar hanya sesuai durasi waktu dan jumlah personil. Informasi lengkap, hubungi di 0811-9595-493 (WA) Bayar pakai@KartuKreditBCA dapatkan cicilan tanpa bunga (0 %) untuk tenor 3, 6 bulan. cek di: app.tnosworld.com #eventprotection #fyptwitterviral #promotor #securitysolutions #securitycompany #protection #bodyguardservices #SafetyFirst #shows #EVENT #eventorganizer #amanterlindungi #wedding #securityevent #eventsetups #konser

Tren Fashion Wedding di Tahun 2025 Menurut Desainer Christie Basil popmama.com/life/fashion-and…. Siapkan segala sesuatu untuk acara spesialmu, Jangan lupakan pengamanannya,gunakan Pengamanan dari Tnos App, bayar hanya sesuai durasi waktu dan jumlah personil. Informasi lengkap, hubungi di 0811-9595-493 (WA) Bayar pakai @KartuKreditBCA dapatkan cicilan tanpa bunga (0 %) untuk tenor 3, 6 bulan. cek di: app.tnosworld.com #eventprotection #fyptwitterviral #promotor #securitysolutions #securitycompany #protection #bodyguardservices #SafetyFirst #shows #EVENT #eventorganizer #amanterlindungi #wedding #securityevent #eventsetups #NewYear2025

Founder bicara Pengamanan Event & Bisnis di Aplikasi Tnos. Informasi lengkap, hubungi 0811-9595-493 (WA) cek di: tnos.co.id #SHOWBIZ #eventprotection #fyptwitterviral #promotor #securitysolutions #securitycompany #protection #bodyguardservices #SafetyFirst #shows #EVENT #eventorganizer #amanterlindungi #konser #sport #securityevent #eventsetups #weddings #tnosapp

🔐 [NEW BLOG] #MicrosoftSentinel allows you to stream, and filter #Windows #Firewall application logs collected from machines and servers using the new #WindowsFirewall via #AzureMonitorAgent to the "ASimNetworkSessionLogs" normalized schema table. ❓ One question we are frequently asked is whether we can use the #WindowsForwardedEvents solution using #AMA to collect Windows Firewall Events to be forwarded to a Windows Event Collector machine, similar to collecting Windows #SecurityEvent logs instead of individually loading the AMA agent on each server. 🤙 The short answer is YES! 🎉 🚀 This guide will describe all the steps to configure and collect #WindowsFirewall Events from servers, send them to #Microsoft #Sentinel using the Windows Forwarded Events #WEF solution, and get them ingested into the "ASimNetworkSessionLogs" normalized table using ingestion-time data transformation. 🔥 This approach would not require installing and managing the #AMA on each machine but to keep collecting from a central server with outbound connectivity. Learn more! 👇👇👇 charbelnemnom.com/collect-wi… #MicrosoftSecurity #SIEM #SOAR #NetworkSecurity #AzureSecurity

Sorry my DCsync query was missing loads... this needs customisation to suit ur environment (e.g. you need to exclude your domain controllers) // Hunt for DCSync Events SecurityEvent | where TimeGenerated > ago(90d) | where EventID == 4662 // this requires that non default auditing be enabled | where AccessMask has "0x100" | where AccountType != "Machine" | where AccountName !has "$" or AccountName !has "DC" | where AccessMask == 0x100 | where EventData has "Replicating Directory Changes all" or EventData has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" or EventData has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" or EventData has "89e95b76-444d-4c62-991a-0facbeda640c" | sort by TimeGenerated desc

There's more required for Kerberoasting (this query can be improved) - but this gives the extra details. // Event ID 4769 = TGT requested SecurityEvent | where TimeGenerated > ago(90d) | where EventID == 4769 // this requires that non default auditng be enabled (I think) // Ticket options = 0x40810000 and Ticket encryption = 0x17 | where EventData contains "0x40810000" and EventData contains "0x17"