Improving your security baseline with KQL

One of my favourite sayings is ‘don’t let perfect be the enemy of good’. I think in cyber security, we can all be guilty of striving for perfection. Whether that is your MFA deployment, reducing local admin privilege or whatever your project may be. The reality is, in most larger organizations you will always have&ellipsis;Read the full post »

KQL lessons learnt from #365daysofKQL

If you follow my Twitter or GitHub account, you know that I recently completed a #365daysofKQL challenge. Where I shared a hunting query each day for a year. To round out that challenge, I wanted to share what I have learnt over the year. Like any activity, the more you practice, the better you become&ellipsis;Read the full post »

Detecting malware kill chains with Defender and Microsoft Sentinel

The InfoSec community is amazing at providing insight into ransomware and malware attacks. There are so many fantastic contributors who share indicators of compromise (IOCs) and all kinds of other data. Community members and vendors publish detailed articles on various attacks that have occurred. Usually these reports contain two different things. Indicators of compromise (IOCs)&ellipsis;Read the full post »

Too much noise in your data? Summarize it!

Defenders are often looking for a single event within their logs. Evidence of malware or a user clicking on a phishing link? Whatever it may be. Sometimes though you may be looking for a series of events, or perhaps trends in your data. Maybe a quick increase in a certain type of activity. Or several&ellipsis;Read the full post »


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.