Bert-Jan 🛡️

kqlquery.com is live! 🛡️ I thought about starting a blog page for a while now, the first steps have been taken. In the next period, I will start uploading more #KQL and security related content.

Interesting technique and developing I would say. 2 quick #KQL queries out for #MicrosoftSentinel and #MDE if you want to hunt for it. github.com/SecurityAura/D… Can be adapted to look for cmd.exe probably as well or other interpreters, binaries, etc. Will update as we go.

This is big! Introducing Microsoft Sentinel data lake techcommunity.microsoft.com/blog/microsoft…

Strengthen identity threat detection and response with linkable token identifiers. Linkable token identifiers are now available for: Entra sign-in logs Exchange Online audit logs Graph activity logs Teams audit logs SharePoint Online audit logs techcommunity.microsoft.com/blog/microsoft…

Quick tip: if you use the /security/runHuntingQuery Graph API call. The default Timespan is 30 days. By setting the additional Timespan parameter, you can retrieve logs from a period longer than 30 days ago. learn.microsoft.com/en-us/graph/ap…

The guidance has been updated with a patch and new KQL hunting query. msrc.microsoft.com/blog/2025/07/c…

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. We have outlined mitigations and detections in our blog. Our team is working urgently to release…

Mercedes will let you onboard your car in Intune? This is the stupidest thing I've heard this week.

🔎 Detect Direct Send phishing emails Below you can find a query that can help you find phishing emails being send using #Microsoft Exchange Direct Send. #Kusto #KQL #DefenderXDR #MicrosoftSentinel github.com/HybridBrothers…

New Blog: Hunting Through APIs - Logic App Edition Logic Apps allow organizations to automate processes easily. This blog discusses how KQL can be used in Logic Apps through the Graph API, Azure Monitor API and Defender ATP API to automate SOC processes. kqlquery.com/posts/logicapp…

Fix MDE selective isolation with Isolation Exclusions rules and allow Teams & Outlook communication again. 5min work and a functionality restored to its former glory! lousec.be/mde/isolation-…

GraphApiAuditEvents is now in Public Preview. The data is natively ingested into Unified XDR. This may become the alternative for MicrosoftGraphActivityLogs, as they are costly to ingest but very valuable for incident response. learn.microsoft.com/en-us/defender…

Drafted some #KQL to hunt for filefix. Suspicious Explorer Child Process: github.com/Bert-JanP/Hunt… Suspicious Browser Child Process (may want to add some custom exclusion or match specific commandline parameters) github.com/Bert-JanP/Hunt…

Sometimes it's good to read junk mail and laugh. ✅ Cobalt Strike Beacon ✅ GDPR Buzzword ✅ Mentioning that you are an ATP hacking group ✅ Lateral movement from cloud email to all my local devices

In the third session of the evening @BertJanCyber is talking about "Attack Disruption and Beyond" #MC2MC #MC2MCLive #Community #CommunityPower

We have some new logs again: DisruptionAndResponseEvents

3rd session of the evening @mc2mcbe by @BertJanCyber on ‘Attack Disruption and Beyond’ #MVPBuzz #Security #community

We’re thrilled to welcome @BertJanCyber as a speaker at MC2MC Live: Voyage to the Edge of the Cloud!🚀 📅 Thursday, June 26th 🎟️ tinyurl.com/5n7769en #MC2MC #MC2MCLive #Community #Security #M365 #Azure

Sunday ride 🏍️🇩🇪